Security

Reply
Highlighted
Occasional Contributor II

ClearPass Wired EAP-TLS Timeouts

Hi Community,

 

at the moment we are facing a strange issue with some Win10 clients authenticating with EAP-TLS to ClearPass via an Aruba switch.

 

After Rebooting the Client is not able to authenticate, resulting in an EAP-Timeout in the ClearPass Access Tracker.

 

The Clients are configured via GPO to use EAP-TLS. The Root CA of the company is also pushed via GPO and the Clients are configured to trust this CA. Occasionally the authentication is successful, so the certs should be working fine.

 

We had a TAC case opened on this issue. They took a packet capture and saw that the client is not responding during the EAP conversation. So they sad it is not an issue with ClearPass.

 

We took a packet capture on the client.

Bild 16.07.19 um 08.27.jpgBild 16.07.19 um 08.28.jpg

After one successful authentication with EAP-TLS session resumption. After that we see an Identity Request/Response followed by an EAP-TLS Reuest with an Encrypted Handshake message. There are actually data in this message, but all the following handshake messages from the client were quite empty.

 

After disabeling the switch port and enabeling it again, the authentication is successfull.

 

Does anyone have a clue about this issue or had a similar problem?

MVP Guru

Re: ClearPass Wired EAP-TLS Timeouts

Yes, we have seen this issue on couple of customer servers after disable and re-enabling switch port,  we start seeing authentication success.

 

I would recommand to open switch TAC ticket with complete tech support logs to find why switch failed to respond to server radius request packet.


Regards,
Pavan

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Super Contributor II

Re: ClearPass Wired EAP-TLS Timeouts

Based in the information it indead doesn't look like a ClearPass issue. One of the first things to do in this case is to update the NIC drivers. Sometimes there are strange issues with the drivers.

 

Please also check the EAP host log at the client.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: ClearPass Wired EAP-TLS Timeouts

On the client we see the following error (sorry for the language, but its a german windows client):

 

Die 802.1X-Authentifizierung (verkabelt) ist fehlgeschlagen.

 

                Netzwerkadapter: Intel(R) Ethernet Connection I219-V

                Schnittstellen-GUID: {f3c36134-2070-4459-9dc6-f10d5878e813}

                Peeradresse: 00FD451574C0

                Lokale Adresse: 507B9DA59FE5

                Verbindungs-ID: 0x42

                Identität: -

                Benutzer: -

                Domäne: -

                Ursache: 0x70004

                Ursachentext: Das Netzwerk beantwortet keine Authentifizierungsanforderungen mehr.

                Fehlercode: 0x0

 

Looking at the switch it might indeed be that the switch is causing an issue:

 

0037:12:18:05.83 RAD mRadiusCtrl:ACCESS REQUEST id: 252 to 10.20.202.72
session: 22387, access method: PORT-ACCESS, User-Name:
host/DE1CL17346, Calling-Station-Id: 507b9d-a59fe5, NAS-Port-Id:
29, NAS-IP-Address: 10.24
0037:12:18:05.83 RAD tRadiusR:ACCESS CHALLENGE id: 252 from 10.20.202.72
received.
0037:12:18:05.83 1X m8021xCtrl:Port 29: received EAP request for client
507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: sent EAP request #20 to 507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: received type 13 EAP response #20 from
507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: sent EAP response from client
507b9d-a59fe5 to authenticaton server.
0037:12:18:05.83 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 22387.
0037:12:18:05.83 RAD mRadiusCtrl:ACCESS REQUEST id: 253 to 10.20.202.72
session: 22387, access method: PORT-ACCESS, User-Name:
host/DE1CL17346, Calling-Station-Id: 507b9d-a59fe5, NAS-Port-Id:
29, NAS-IP-Address: 10.24

 

The Switch sends the client response to the server, but nothing happens.

Aruba Employee

Re: ClearPass Wired EAP-TLS Timeouts

Hi Marian,

 

Is the issue fixed?

TVM
New Contributor

Re: ClearPass Wired EAP-TLS Timeouts

Is it resolved? Could u share the tac ticket number

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: