Security

Reply
Highlighted
Contributor I

802.1x EAP-TLS

Hi all,

Having an issue getting a windows client to perform EAP-TLS to a 5412R switch.

Aruba TAC have verified that the switch setup is OK but I can't sem to get the device to initiate the EAP-TLS process, i've enabled debugging on the switch but the buffer only shows lots of -

0153:08:18:57.68 PSEC eDrvPoll:incoming mac xxxxxx-xxxxx on port I7 for vlan
120 rejected by portsec demux. wma does not want this pkt.
 

Any ideas why I can't get this to work?

Highlighted
Guru Elite

Re: 802.1x EAP-TLS

A windows device requires the Wired Zero Configuration service to be enabled and running to do wired 802.1x


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: 802.1x EAP-TLS

Hi Yes, the Wired Auto config service is running.

Im seeing this but the timestamp seems to be way out -

0153:09:48:21.95 1X m8021xCtrl:Port I7: connection detected.
0153:09:48:22.38 1X m8021xCtrl:Port I7: added new clientXXXXXX-XXXXXX.
0153:09:48:22.38 1X m8021xCtrl:Port I7: received EAPOL Start from
XXXXXX-XXXXXX.
0153:09:48:22.38 1X m8021xCtrl:Port I7: sent ReqId #1 to XXXXXX-XXXXXX.
0153:09:48:51.88 1X m8021xCtrl:Port I7: sent ReqId #1 to XXXXXX-XXXXXX.

 

An no event in CPPM.

The device is a Dell using a media converter for an Ethernet connection.

Highlighted
MVP Expert

Re: 802.1x EAP-TLS

Are you seeing anything in event viewer ? Make sure RADIUS key matches



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: 802.1x EAP-TLS

Nothing in CPPM event viewer, however the windows event viewer says "user certificate required for the network can’t be found on this computer"

 

Highlighted
Contributor I

Re: 802.1x EAP-TLS

I'm beginning to suspect that the customer hasn't deployed certs for the devices, but not being a windows/GP expert I'm not sure where to point and say "thats where you need to configure for EAP-TLS, certs etc"

Highlighted
MVP Expert

Re: 802.1x EAP-TLS

They need to deploy ADCS , configure the necessary cert templates and push a group policy to do certificate auto enrollment for domain devices.

If the customer has already done that then you should be able to validate if the device has a cert using certmgr.msc under personal certs

But if you have Mac authentication enabled on the port you should be able to see the Mac auth request if the 802.1X auth is not initiated by the client





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: 802.1x EAP-TLS

Thanks for all the replies, under connections properties instead of "Computer or User authentication" under "Specify Authentication mode" I selected "Computer Authentication" only.

The first setting normally works but it seemed that for some reason the device could not select the correct cert.

All working now.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: