It sounds like like a very similar setup to my environment. I didn't have much luck with TAC, so I spoke with our pre-sales engineer who put me in touch with a higher level engineer. They suggested breaking out the service into two, similar to how you are thinking. I haven't had a chance to test it further.
Original Message:
Sent: Mar 20, 2024 09:06 AM
From: pmonardo
Subject: Using EAP-TEAP and EAP-TLS on the same service
Running into exactly the same error.
It seems to point to using the endpoints repository as the culprit.
Since my service is configured for TEAP (TLS both methods) and we are also doing InTune checks for iPads who use TLS.
The InTune extension syncs with the endpoints repository so it is added as an auth source. Cannot add InTune as an auth source right now.
As soon as I remove the endpoints repository as an auth source, my windows client starts working again.
May have to separate the service and add a condition to check the IETF user-name as anonymous or teap (configured for teap currently) and simply reuse the same role mapping and enforcement policies.
------------------------------
Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
Original Message:
Sent: Sep 13, 2023 07:19 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Thanks for everyone's help, I managed to solve the issue. I'm not sure why but I had Endpoints Repository as an Authentication Source. Once removed I had no further issues.
I'm still confused as to why it only caused an issue when I added EAP TLS as an Authentication Method. I would have thought it would cause an issue either way.
Original Message:
Sent: 9/13/2023 3:43:00 PM
From: mattAruba
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Couple of things to check:
- Here outer identity is anonymous. Is there an actual user account named "anonymous" in the auth sources configured for the service?
- Can you double check the supplicant configuration to check if the trust is setup correctly. Recently heard about someone who ran into similar error and after working with TAC, problem was with the trusted root CA selection on supplicant. I would expect the error message to point out trust issues clearly, so I am not fully convinced that was the real root cause but worth double checking.
Original Message:
Sent: Sep 12, 2023 07:23 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Hi Herman,
My test Windows 11 client is configured for EAP-TEAP and should be using EAP-TEAP to authenticate. The issue only happens when I add EAP-TLS as an Authentication Methods. I found the client has the same behaviour regardless of the order of the EAP-TEAP and EAP-TLS methods.
I might try contacting TAC.
Thanks.
Original Message:
Sent: 9/12/2023 8:31:00 AM
From: Herman Robers
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Here is a client connecting with EAP-TLS on the SSID that I showed the service for:
That client is a Windows 10, not Win11; but that should not make a big difference. From the logs it looks like the client is attempting TEAP, not EAP-TLS, and it the client that decides which authentication method to use.
One other approach would be to split up the services into two.. you can do that by filtering on the anonymous username that you can set for TEAP:
Radius:IETF | User-Name | BELONGS_TO | anonymous,teap |
But EAP-TLS and TEAP in one service should just work...
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 11, 2023 10:22 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Hi Herman,
I have similar methods but no EAP-PEAP:
1. EAP TLS (using OCSP)
2. EAP TEAP (both using EAP-TLS)
If I remove the EAP TLS and just use EAP TEAP, my test device (Windows 11) connects fine with both methods being successful (Computer + User).
When I have EAP TLS above EAP TEAP, I get the following error message for the same test device:
eap-teap: Method 1 failed for transaction
eap-teap: Method 1 failed for transaction
eap-teap: Conflicting identities 'anonymous' and 'host/<ComputerName>.domain' in the request
TLS session reuse error
Any thoughts?
Thanks.
Original Message:
Sent: 9/11/2023 11:28:00 AM
From: Herman Robers
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Yes, should work. Here is the configuration the I have, it even has PEAP enabled in the same service/SSID in addition to TLS and TEAP.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 08, 2023 05:11 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
I'll try to get some screenshots but are you saying this is theoretically possible? And should work?
Original Message:
Sent: 9/8/2023 10:16:00 AM
From: bd_87
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Can you reply with some screenshots? It almost seams like maybe the client is trying EAP-PEAP instead of EAP-TLS?
Screenshots of the client SSID config and of the ClearPass service would be a big help.
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 08, 2023 01:35 AM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Is there a way to have EAP-TEAP and EAP-TLS co-exist on the same service?
I have been testing EAP-TEAP on wireless and have it successfully working. Both methods are EAP-TLS. If I then enable EAP-TLS on the same service, clients that only use EAP-TLS do not connect and show the following alert "EAP: Client doesn't support configured EAP methods".
I have clients that don't support EAP-TEAP (i.e. iPads and MacBooks) and do not want to use a separate SSID. Furthermore, I'm also testing EAP-TEAP for wired authentication and would like the MacBooks to fall back to EAP-TLS.