Security

We sometimes get failed 802.1x authentications for wired clients. And because they're configured to only do one authentication attempt, they get put into the remediation vlan per MAC authentication policy afterwards. They'll automagically try authenticating a few minutes later, and then they'll succeed.

So far I can't really reproduce it, but I'm seeing it happen with multiple clients throughout our sites in Europe. Screenshot attached.

Alert on failed authentication: EAP: Client doesn't support configured EAP methods
Log: ERROR RadiusServer.Radius - rlm_eap: Client doesn't support any method that we require. Rejecting client.

One difference in the logs I'm spotting is the Authentication:Outermethod. On failed attempts it just says 'EAP', whereas it's EAP-TLS on succeeded attempts. Although I can imagine that's just because it wasn't able to negotiate EAP-TLS. 

I can't really think of config that would cause this behaviour. All clients get their 802.1x config from GPO, which is pretty straightforward computer authentication using certificates. The switches are Cisco 2960X.. Pretty basic 802.1x deployment. Clearpass version is 6.12.1.

Anyone got an idea to point me in the right direction?

Hi

As you mention "clients in Europe" I get a feeling you are a global organization and mainly located in the US, is this correct?

RADIUS is not very sensitive to latency, but if you have high latency between the client and the ClearPass server you may start to get random timeouts. I have worked with customers running ClearPass servers in both Europe and US with "the other side" as secondary. In most cases it has been working good.

Can you more describe your ClearPass setup, and your overall design of the network? What latency do you have between clients and ClearPass?

I have seen a tech note or other document several years ago where they had performed authentication tests with different latency and reported on the number of timeouts. But I can't find it now.

The issue you are describing can also be a result of lost packages. Do you see any packed drops between ClearPass and the clients?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jul 04, 2024 08:21 AM
From: Coen
Subject: Regular "Client doesn't support configured EAP methods" in Clearpass

We sometimes get failed 802.1x authentications for wired clients. And because they're configured to only do one authentication attempt, they get put into the remediation vlan per MAC authentication policy afterwards. They'll automagically try authenticating a few minutes later, and then they'll succeed.

So far I can't really reproduce it, but I'm seeing it happen with multiple clients throughout our sites in Europe. Screenshot attached.

Alert on failed authentication: EAP: Client doesn't support configured EAP methods
Log: ERROR RadiusServer.Radius - rlm_eap: Client doesn't support any method that we require. Rejecting client.

One difference in the logs I'm spotting is the Authentication:Outermethod. On failed attempts it just says 'EAP', whereas it's EAP-TLS on succeeded attempts. Although I can imagine that's just because it wasn't able to negotiate EAP-TLS. 

I can't really think of config that would cause this behaviour. All clients get their 802.1x config from GPO, which is pretty straightforward computer authentication using certificates. The switches are Cisco 2960X.. Pretty basic 802.1x deployment. Clearpass version is 6.12.1.

Anyone got an idea to point me in the right direction?