Security

Hi,

 

I'm getting this message ONLY with iOS devices. This is the scenario:

 

ClearPass 6.7.8.109113

802.1X Aruba Wireless Service

Authentication Source: Active Directory

Authentication Method: EAP-PEAP/EAP-MSCHAPv2

ClearPass joined in Domain

RADIUS Certificate generated from Windows CA

CA certificate added to Trust list

 

When iOS device connects everything looks fine on Access Tracker, but after a few seconds I get this message and TIMEOUT Alert for this Request. If the iOS device is rebooted I can connect without problem, but after a couple of hours I get this error again.

How are you configuring the device supplicants?

Well, on iOS device we're letting the device set the parameters automatically.

 

1. Connect to SSID 802.1X

2. Enter user credentials

3. Trust the certificate

4. Connected

 

Windows computers that is on domain we set these parameters via GPO, and when someone is not on domain we set manually (Win7) or connect like iOS (Win10).

You should not be using a tunneled EAP method with manual client configuration. I would recommend moving to EAP-TLS or using a supplicant configuration utility.

Thanks Capalli, I agree with you.

 

But this is the scenario that we need to work today and we can't change anything now. To do EAP-TLS on Smartdevices the customer will need to buy Onboard licenses. 

 

I think this is an isolated problem with iOS devices. Another OS's works fine.

 

Already openned a TAC, but I was hopen that someone here already got throught this.

It's behaving as designed since the supplicant is not configured. This is the issue with using legacy EAP methods on unmanaged devices.

Yes but why sometimes with the same device works? After a reboot or forgetting the SSID we can connect again.

 

With any other type of supplicant, manually or via GPO configured, we can connect without any problems. Android, Windows, Linux is OK. Only iOS devices are getting this issue.

Because they're not properly configured.

Ok. Assume that they're configured incorrectly, the only solution is use onboard on this kind of device?

 

If the customer configure a FreeRadius or Microsoft NPS to authenticate this devices this issue not occurs. Why only with ClearPass? What's the difference?

Onboard, supplicant configuration utility or manual configuration. The issues will occur on any RADIUS platform. It is not a ClearPass issue.

I've tested. This issue occurs only with ClearPass.

The topology or server identities likely differ.

I've tested on Microsoft NPS. The certificates was issued by the same Windows CA Server (They have 1 CA Server only).