Security

Hi Community,

at the moment we are facing a strange issue with some Win10 clients authenticating with EAP-TLS to ClearPass via an Aruba switch.

After Rebooting the Client is not able to authenticate, resulting in an EAP-Timeout in the ClearPass Access Tracker.

The Clients are configured via GPO to use EAP-TLS. The Root CA of the company is also pushed via GPO and the Clients are configured to trust this CA. Occasionally the authentication is successful, so the certs should be working fine.

We had a TAC case opened on this issue. They took a packet capture and saw that the client is not responding during the EAP conversation. So they sad it is not an issue with ClearPass.

We took a packet capture on the client.

After one successful authentication with EAP-TLS session resumption. After that we see an Identity Request/Response followed by an EAP-TLS Reuest with an Encrypted Handshake message. There are actually data in this message, but all the following handshake messages from the client were quite empty.

After disabeling the switch port and enabeling it again, the authentication is successfull.

Does anyone have a clue about this issue or had a similar problem?

Yes, we have seen this issue on couple of customer servers after disable and re-enabling switch port,  we start seeing authentication success.

I would recommand to open switch TAC ticket with complete tech support logs to find why switch failed to respond to server radius request packet.

Based in the information it indead doesn't look like a ClearPass issue. One of the first things to do in this case is to update the NIC drivers. Sometimes there are strange issues with the drivers.

Please also check the EAP host log at the client.

On the client we see the following error (sorry for the language, but its a german windows client):

Die 802.1X-Authentifizierung (verkabelt) ist fehlgeschlagen.

                Netzwerkadapter: Intel(R) Ethernet Connection I219-V

                Schnittstellen-GUID: {f3c36134-2070-4459-9dc6-f10d5878e813}

                Peeradresse: 00FD451574C0

                Lokale Adresse: 507B9DA59FE5

                Verbindungs-ID: 0x42

                Identität: -

                Benutzer: -

                Domäne: -

                Ursache: 0x70004

                Ursachentext: Das Netzwerk beantwortet keine Authentifizierungsanforderungen mehr.

                Fehlercode: 0x0

Looking at the switch it might indeed be that the switch is causing an issue:

0037:12:18:05.83 RAD mRadiusCtrl:ACCESS REQUEST id: 252 to 10.20.202.72
session: 22387, access method: PORT-ACCESS, User-Name:
host/DE1CL17346, Calling-Station-Id: 507b9d-a59fe5, NAS-Port-Id:
29, NAS-IP-Address: 10.24
0037:12:18:05.83 RAD tRadiusR:ACCESS CHALLENGE id: 252 from 10.20.202.72
received.
0037:12:18:05.83 1X m8021xCtrl:Port 29: received EAP request for client
507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: sent EAP request #20 to 507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: received type 13 EAP response #20 from
507b9d-a59fe5.
0037:12:18:05.83 1X m8021xCtrl:Port 29: sent EAP response from client
507b9d-a59fe5 to authenticaton server.
0037:12:18:05.83 RAD mRadiusCtrl:Received RADIUS MSG: DATA, session: 22387.
0037:12:18:05.83 RAD mRadiusCtrl:ACCESS REQUEST id: 253 to 10.20.202.72
session: 22387, access method: PORT-ACCESS, User-Name:
host/DE1CL17346, Calling-Station-Id: 507b9d-a59fe5, NAS-Port-Id:
29, NAS-IP-Address: 10.24

The Switch sends the client response to the server, but nothing happens.

Hi Marian,

Is the issue fixed?

Is it resolved? Could u share the tac ticket number

Sorry for the late reply. Our customer had opened a ticket with microsoft. They did not give any specific reason, but the issue is solved with:

4507466        Win2016RS4_19-07_C_rollup_KB http://support.microsoft.com/kb/4507466 July 16, 2019-KB4507466 (OS Build 17134.915)