Here is a client connecting with EAP-TLS on the SSID that I showed the service for:
That client is a Windows 10, not Win11; but that should not make a big difference. From the logs it looks like the client is attempting TEAP, not EAP-TLS, and it the client that decides which authentication method to use.
One other approach would be to split up the services into two.. you can do that by filtering on the anonymous username that you can set for TEAP:
| Radius:IETF |
User-Name |
BELONGS_TO |
anonymous,teap |
But EAP-TLS and TEAP in one service should just work...
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 11, 2023 10:22 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Hi Herman,
I have similar methods but no EAP-PEAP:
1. EAP TLS (using OCSP)
2. EAP TEAP (both using EAP-TLS)
If I remove the EAP TLS and just use EAP TEAP, my test device (Windows 11) connects fine with both methods being successful (Computer + User).
When I have EAP TLS above EAP TEAP, I get the following error message for the same test device:
eap-teap: Method 1 failed for transaction
eap-teap: Method 1 failed for transaction
eap-teap: Conflicting identities 'anonymous' and 'host/<ComputerName>.domain' in the request
TLS session reuse error
Any thoughts?
Thanks.
Original Message:
Sent: 9/11/2023 11:28:00 AM
From: Herman Robers
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Yes, should work. Here is the configuration the I have, it even has PEAP enabled in the same service/SSID in addition to TLS and TEAP.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 08, 2023 05:11 PM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
I'll try to get some screenshots but are you saying this is theoretically possible? And should work?
Original Message:
Sent: 9/8/2023 10:16:00 AM
From: bd_87
Subject: RE: Using EAP-TEAP and EAP-TLS on the same service
Can you reply with some screenshots? It almost seams like maybe the client is trying EAP-PEAP instead of EAP-TLS?
Screenshots of the client SSID config and of the ClearPass service would be a big help.
------------------------------
ACNSP | ACCP | ACMP | ACEP
Original Message:
Sent: Sep 08, 2023 01:35 AM
From: hammertim
Subject: Using EAP-TEAP and EAP-TLS on the same service
Is there a way to have EAP-TEAP and EAP-TLS co-exist on the same service?
I have been testing EAP-TEAP on wireless and have it successfully working. Both methods are EAP-TLS. If I then enable EAP-TLS on the same service, clients that only use EAP-TLS do not connect and show the following alert "EAP: Client doesn't support configured EAP methods".
I have clients that don't support EAP-TEAP (i.e. iPads and MacBooks) and do not want to use a separate SSID. Furthermore, I'm also testing EAP-TEAP for wired authentication and would like the MacBooks to fall back to EAP-TLS.