Security

Reply
Occasional Contributor II

CPPM - Client did not complete EAP transaction

Hi,

 

I'm getting this message ONLY with iOS devices. This is the scenario:

 

ClearPass 6.7.8.109113

802.1X Aruba Wireless Service

Authentication Source: Active Directory

Authentication Method: EAP-PEAP/EAP-MSCHAPv2

ClearPass joined in Domain

RADIUS Certificate generated from Windows CA

CA certificate added to Trust list

 

When iOS device connects everything looks fine on Access Tracker, but after a few seconds I get this message and TIMEOUT Alert for this Request. If the iOS device is rebooted I can connect without problem, but after a couple of hours I get this error again.


| André Fernandes | ACCP| ACMP | ACSP | CWNA | CCNA |
Highlighted
Guru Elite

Re: CPPM - Client did not complete EAP transaction

How are you configuring the device supplicants?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM - Client did not complete EAP transaction

Well, on iOS device we're letting the device set the parameters automatically.

 

1. Connect to SSID 802.1X

2. Enter user credentials

3. Trust the certificate

4. Connected

 

Windows computers that is on domain we set these parameters via GPO, and when someone is not on domain we set manually (Win7) or connect like iOS (Win10).


| André Fernandes | ACCP| ACMP | ACSP | CWNA | CCNA |
Guru Elite

Re: CPPM - Client did not complete EAP transaction

You should not be using a tunneled EAP method with manual client configuration. I would recommend moving to EAP-TLS or using a supplicant configuration utility.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM - Client did not complete EAP transaction

Thanks Capalli, I agree with you.

 

But this is the scenario that we need to work today and we can't change anything now. To do EAP-TLS on Smartdevices the customer will need to buy Onboard licenses. 

 

I think this is an isolated problem with iOS devices. Another OS's works fine.

 

Already openned a TAC, but I was hopen that someone here already got throught this.


| André Fernandes | ACCP| ACMP | ACSP | CWNA | CCNA |
Guru Elite

Re: CPPM - Client did not complete EAP transaction

It's behaving as designed since the supplicant is not configured. This is the issue with using legacy EAP methods on unmanaged devices.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM - Client did not complete EAP transaction

Yes but why sometimes with the same device works? After a reboot or forgetting the SSID we can connect again.

 

With any other type of supplicant, manually or via GPO configured, we can connect without any problems. Android, Windows, Linux is OK. Only iOS devices are getting this issue.


| André Fernandes | ACCP| ACMP | ACSP | CWNA | CCNA |
Guru Elite

Re: CPPM - Client did not complete EAP transaction

Because they're not properly configured.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: CPPM - Client did not complete EAP transaction

Ok. Assume that they're configured incorrectly, the only solution is use onboard on this kind of device?

 

If the customer configure a FreeRadius or Microsoft NPS to authenticate this devices this issue not occurs. Why only with ClearPass? What's the difference?


| André Fernandes | ACCP| ACMP | ACSP | CWNA | CCNA |
Guru Elite

Re: CPPM - Client did not complete EAP transaction

Onboard, supplicant configuration utility or manual configuration. The issues will occur on any RADIUS platform. It is not a ClearPass issue.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: