Security

From the Windows error logs, it appears that Client did not present its certificate as a result of which the EAP authentication timedout in ClearPass. If this is a user certificate, please make sure the client has its certificate installed under Personal folder in the certmgr.msc. We can try the same certificate on any other client to isolate the problem.

So understand this further, enable debug for RADIUS service(Administration --> Server Manager --> Log configuration --> Select RADIUS service and set the log level to DEBUG). Attempt again with different clients and attach the access tracker logs.

I use the same certificate to access certain internal sites and it is in the Personal folder. I'll test it from another Windows system and I'll try a co-worker's system to test with their certificate. I tried from an Ubuntu VM last night but had a lot of issues. 

Thank you for the directions to turn on the debug for the radius server. I attached the logs. 

Attachment(s)

Clearpass_Radius_Debug_Logs.txt   29 KB 1 version

Is the Windows supplicant configured for User, Computer or User+Computer authentication?

I have tried all three, but most of the time when I test, it is "user or computer authentication". 

There is a user cert in the user store from the same CA that Clearpass's certificate is using. There is a machine cert in the local computer store, but it is a self signed cert it looks like since the "issued by" is the same name as the machine. Do I need a machine cert from the same CA as well? I thought I could get by with just the user cert. 

No. Using OpenCA and the certs are manually added. We currently use the user cert to connect via WiFi directly onto the Aruba Controller. Eventually we want to move wireless to Clearpass as well.  I am starting with Wired NAC first. 

Can you try setting the supplicant to user only and then manually configuring the supplicant for EAP-TLS including the cert selection options to reference the CA?

I just tried it with user auth only and configuring the Certificate Selection to use the CA. I do not get anything in Access Tracker when I do that.

When I switch back to user or computer authentication, I get log entries in Access Tracker again.

I was issued a machine certificate from OpenCA and I added that as well. I get the same error messages in the event viewer and clearpass using user or computer authentication.

Username from the logs is host/Mike Smith. If the attached logs are taken from a user authentication failure attempt, then username does not sound right. 

Incase of user authentication, certificate is issued to user object sAMAaccountname or for UPN. Incase of computer authentication, certificate is issued to host/<hostname of the machine object> . It could be because of this conflict that client does not present the certificate when you select user authentication only in its SSID profile.

Please reissue the user certificate for sAMAaccount name and update the results with logs.

Another question is: Are you trying to authorize validity against Active Directory or just test basic certificate validity (expiration, etc)?

I am just trying to test basic certificate validity. 

I spent a lot of last week diagnosing this. Most of my issues were due to the Juniper EX4200 switch. The switch is from another team and they have one to two thousand lines of apply group settings and I went through and deleted all of that. EAP-PEAP and EAP-TTLS with MSCHAPv2 with Windows works now. I still can't get EAP-TLS to work with Windows. EAP-TLS, EAP-TTLS, and EAP-PEAP works with Linux. I ran packet captures and had all logs set to the debugging level to try and figure out what was going on. This issue did not reveal itself directly in the logs or packet captures. The switch was somehow altering the response from clearpass, and when it got to the client machines (Windows and Linux), they ignored the response and EAP failed. 

I am still not sure why EAP-TLS fails on the windows machine, but I don't think we are going to go that way anyways. Thanks for your help cappalli and VinceF. 

To be clearer, this is what I get in the Windows 10 event viewer when I do user authentication only:

Wired 802.1X Authentication failed.

Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
Peer Address: 648788A46088
Local Address: 68F7288D6039
Connection ID: 0xe
Identity: NULL
User:XXXXX
Domain: AD
Reason: 0x50005
Reason Text: Network authentication failed
The user certificate required for the network can't be found on this computer.

Error Code: 0x80420014

The above Windows error does not create a log entry in Access Tracker in Clearpass.

This is what I get when I get when I do machine authentication only.

Wired 802.1X Authentication failed.

Network Adapter: Intel(R) Ethernet Connection (3) I218-LM
Interface GUID: {cc5c0465-62ed-42b4-ac10-11b21a475b58}
Peer Address: 648788A46088
Local Address: 68F7288D6039
Connection ID: 0x5
Identity: host/XXXXX
User: -
Domain: -
Reason: 0x50005
Reason Text: Network authentication failed due to a problem with the user account

When I get the above error in Windows 10, I get an error in Access Tracker. The same error in the log I attached to this thread. 

The certs everyone uses to connect to WiFi is the same certificate I am using. I'd like to use the same certificates. If it isn't possible, then I'll have to do something else.