Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x EAP-TLS

This thread has been viewed 31 times

  • 1.  802.1x EAP-TLS

    Posted Feb 17, 2020 05:51 AM

    Hi all,

    Having an issue getting a windows client to perform EAP-TLS to a 5412R switch.

    Aruba TAC have verified that the switch setup is OK but I can't sem to get the device to initiate the EAP-TLS process, i've enabled debugging on the switch but the buffer only shows lots of -

    0153:08:18:57.68 PSEC eDrvPoll:incoming mac xxxxxx-xxxxx on port I7 for vlan
    120 rejected by portsec demux. wma does not want this pkt.
     

    Any ideas why I can't get this to work?



  • 2.  RE: 802.1x EAP-TLS

    EMPLOYEE
    Posted Feb 17, 2020 05:58 AM

    A windows device requires the Wired Zero Configuration service to be enabled and running to do wired 802.1x



  • 3.  RE: 802.1x EAP-TLS

    Posted Feb 17, 2020 06:37 AM

    Hi Yes, the Wired Auto config service is running.

    Im seeing this but the timestamp seems to be way out -

    0153:09:48:21.95 1X m8021xCtrl:Port I7: connection detected.
    0153:09:48:22.38 1X m8021xCtrl:Port I7: added new clientXXXXXX-XXXXXX.
    0153:09:48:22.38 1X m8021xCtrl:Port I7: received EAPOL Start from
    XXXXXX-XXXXXX.
    0153:09:48:22.38 1X m8021xCtrl:Port I7: sent ReqId #1 to XXXXXX-XXXXXX.
    0153:09:48:51.88 1X m8021xCtrl:Port I7: sent ReqId #1 to XXXXXX-XXXXXX.

     

    An no event in CPPM.

    The device is a Dell using a media converter for an Ethernet connection.



  • 4.  RE: 802.1x EAP-TLS

    Posted Feb 17, 2020 08:57 AM
    Are you seeing anything in event viewer ? Make sure RADIUS key matches



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: 802.1x EAP-TLS

    Posted Feb 17, 2020 08:59 AM

    Nothing in CPPM event viewer, however the windows event viewer says "user certificate required for the network can’t be found on this computer"

     



  • 6.  RE: 802.1x EAP-TLS

    Posted Feb 17, 2020 09:14 AM

    I'm beginning to suspect that the customer hasn't deployed certs for the devices, but not being a windows/GP expert I'm not sure where to point and say "thats where you need to configure for EAP-TLS, certs etc"



  • 7.  RE: 802.1x EAP-TLS

    Posted Feb 17, 2020 10:19 AM
    They need to deploy ADCS , configure the necessary cert templates and push a group policy to do certificate auto enrollment for domain devices.

    If the customer has already done that then you should be able to validate if the device has a cert using certmgr.msc under personal certs

    But if you have Mac authentication enabled on the port you should be able to see the Mac auth request if the 802.1X auth is not initiated by the client





    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 8.  RE: 802.1x EAP-TLS

    Posted Feb 18, 2020 04:49 AM

    Thanks for all the replies, under connections properties instead of "Computer or User authentication" under "Specify Authentication mode" I selected "Computer Authentication" only.

    The first setting normally works but it seemed that for some reason the device could not select the correct cert.

    All working now.