Security

Hello,

 

following failure message i receive from our radius:

Client did not complete EAP transaction

 

 

On live Monitoring Access Tracker i receive 2 Messages, i think this is correct:

One is for our Device: EAP-PEAP,EAP-TLS <- works !!

second is for our AD i think and here i get: Client did not complete EAP transaction !!

Always get a TIMEOUT !!!

 

An explanation why ??

I want that the user connect automatically to our Network and to the AD.

 

Thx

Salvatore

 

What OS is this client?  Client timeout is a generic error message.  The #1 reason is the radius server certificate is new or changed and the client did not click on accept, so the radius transaction was not completed.  We would need more details to explain why the error message is happening.

Hi,

 

we use Windows 7 clients.

I tried something, i disconnect the Wifi connection and connect it again and now i receive only EAP-PEAP authentication Method. Why ?

Where is my EAP-TLS authentification message ??

I do not change anything in the configuration.

 

THX

Salvatore

How is the client configured?

Hi,

 

1. first in the security Settings i have set Microsoft EAP (PEAP).
   1. then Settings: check certificate , authenticationmethod: smartcard or other certificate.
   2. enter configure: use certificate on the Computer , use and check certificate.
2. advanced settings: authentication method -> Computerauthentication.

hope you understand my configuration :-)

 

Under Clearpass Authentication Methods EAP-TLS there is written: Session Timeout 6 hours.

That meens, if i disconnect and connect in this 6 hours a few times, my Laptop (machine authentication) is not considered. Right ?? Only the AD Authentication will be considered.

 

Thx.

Salvatore

Does the Windows laptop have a client certificate in the computer store?  How was this certificate issued to the client?  Did it ever work?

Hi,

 

yes the client have installed the ROOT CA.

to prehistory: Friday i installed the certificate to clearpass.

There are 3 Certificates on CLearpass: Root CA , Intermediate CA, and Server CA.

Thenn i try to connect me a view times but it did not work.

 

Today i added the Certificates to the Trust List on ClearPass and changed the windows settings and it works. I think.

 

Thx

Salvatore

The Windows 7 client requires a client certificate for authentication which is separate from the RootCA, Intermediate CA and Server CA.  With your settings the client requires a client certificate in the computer store, not the user store.

 

Use the link here:  https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx to see how to check for client certificates on your computer.

Hi,

 

yes i have i client certificate. There is separate from the RootCA, Intermediate CA and Server CA.

 

Thx

Salvatore

Who issued the client certificate and is it in the computer (machine) store?

Hi,

 

certificate path: when i do a doubleclick on my local certificate, i see my (issued by )intermediate Certificate, and this comes from our ROOT CA.

 

Hope you understand me. My english is not the best.

 

Thx

Salvatore

I understand.  Try configuring your client with "Validate Server Certificate" unchecked and see if your client can authenticate.

if i uncheck "Validate Server Certificate" i had still connection to the wifi. the client use EAP-PEAP.

Monitor Live Tracking: Authentication Method: EAP-PEAP,EAP-MSCHAPv2.

 

When i check "Validate Server Certificate" i receive EAP-PEAP,EAP-TLS.

 

My goal is that all employees when their comes to work, all Devices automatically connect to the WiFi via Certificate.

 

I tried to remove the EAP-PEAP on clearpass authentication Method, but unfortunately i had no connection to WiFi.

 

Thx

Salvatore

Good morning,

 

new situation: now my authentication with my certificate works.

Settings Clearpass: Authentication Method = EAP-TLS

Windows 7 client: Microsoft smartcard or other Certification

 

When i keep it so this settings, my Client will automatically connect to the WiFi.

But i receive a new failure message on access Tracker: Client does not support configured EAP methods

 

Our client must simultaneously build up an authentication to the AD.

If i add in the authentication Method: EAP-PEAP. Everything works fine too, but then i have 2 new Problems:

1. i receive an Timeout message: Client did not complete EAP transaction
2. big problem: now no matter wich settings i have on my client, he always gets an connection.

and that should not happen. He must verify first if my client have an valid certificate and then in the second step authenticate with my AD.

 

Someone have any idea ??

Maybe i have forgett to configure something on clearpass ?

 

Thx

Salvatore

A couple suggestions:

- Are you using Microsoft CA as your Root CA to generate the unique certs ? If so , are you using machine and user cert or just machine ?
- also if you are not using a third party cert in ClearPass make sure you import it into certificates store or send through a GPO to your wireless clients
- Make sure that Microsoft Root CA has been added to the cert trusted list in ClearPass
- The wireless profile for the SSID needs to be set to use Smartcard or certificate manually , if you are only using Computer cert then just enable Computer auth instead user or computer
- in ClearPass then you need to allow EAP-TLS as a authentication method and use AD as authentication source

Hi,

 

we have a corporate certificate.

 

1. machine certificate on the clients
2. certificate installed on clearpass
3. and added to the trustet list.

If i configured as you described, EAP_TLS and source is AD it works. But then i receive following error messages: Radius -> EAP: Client doesn't support configured EAP methods

 

Clients settings: I have set Smartcard or certificate manually and i  only use computer auth.

 

thx

Salvatore

 

Have you tried updating the drivers or another machine?

Sent from Outlook for iPhone

Hi,

 

yes i have 2 or 3 Laptops to tests the WiFi connection. Network adapter driver have the latest update.

But another question:

• is there any settings to do for authentication sequence ?
• like if a client certificate exists and is valid (EAP_TLS) then
  • authenticate with AD
• if not you reject.

Or which settings must be set on Clearpass ? Can i do this with enforcement ?

 

Thx

Salvatore

Hi,

everythings works now. I must uncheck under Configuration -> Services -> Authentication -> Authentication Methods = EAP_TLS -> uncheck = Authentication required.

 

Now i got certificate access without EAP Timeouts.

 

Thx for help.

 

 

Hi, all we are also getting EAP timeouts.  What was the fix for this issue?

There are a number of reasons for EAP timeouts.  Do you have any more information like what devices are involved and what the error messages are?

I am currently having this issue with Mobile devices like iPhones or Android.  Users will stay on wireless for a while then can't get on the internert.  I look at Clearpass and see timeout.  How they are fixing it is shutting off wireless on their phones and turning back on.  

Authentication method?

802.1x

EAP method? EAP server certificate details?

Eap-Peap

with a Radius Server Certificate from our local Cert Server

Have the client’s supplicants been properly configured to trust the EAP server certificate?

I can speak on the iphones since I am on one.  When I connect to the Wireless first time I am asked to trust the Cert which I select Trust.  Is that what you are talking about?

That’s not really properly configured, but yes, it should work. Do you have the same EAP server certificate on all nodes in the cluster?

Yes we do.  I am sure there are other ways of pushing the cert out to phones but sadly that is the way we do it.

We are also having the same error, a ton of it.    We had to increase our "interval between WPA/WPA2 Key Messages" from 1000 to 3000ms that cut down a ton of timeouts, but that's a band-aid and not solving the root cause, I have been working with TAC for 3-4 weeks on this and were not any closer. 

 

did you get any resolutions?   

Same here, let me know if you get any resolution from TAC.

 

Thanks,

 

AP

the latest patch includes some Active Directory tree searching enhancements.  we just upgraded to 6.7.6, checking today and next week if that takes care of the issue.  

Any luck with this issue guys, did you have any success after upgrading to 6.7.6 ?

have you guys found a way to solve it yet? i'm running 6.7.7 with lots of timeouts.

Where were these timers that you adjusted? Any other discoveries on this issue?

Are you seeing any auth timeouts in access tracker, if YES then we need to check access tracker logs to find if it is failed due to delay in auth process from auth server or no response from client itself for CPPM access challenge.

 

 

Ok, yes, seeing the timeouts in the access tracker and the client is not getting prompted to trust. Therefore the client is not allowed on the network.

Thanks,

Jake

GameStop | Jake Briggs | Network Engineer | 817-722-7621 | jacobbriggs@gamestop.com | powertotheplayers

Time Message

2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R07e74a6e-02-5efefabb, state - AJ0A9QBiAFRpR7wkhIm2wYsBikLNvg+JNWahNg=
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 186:276:88:54-99-63-6E-A8-63 recv 1593768635.740301 - resp 1593768635.747602
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 187:442:1124:54-99-63-6E-A8-63 recv 1593768635.820131 - resp 1593768635.825175
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 188:287:1120:54-99-63-6E-A8-63 recv 1593768635.872398 - resp 1593768635.873006
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:287:1120:54-99-63-6E-A8-63 recv 1593768635.918090 - resp 1593768635.918799
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 190:287:1120:54-99-63-6E-A8-63 recv 1593768635.964035 - resp 1593768635.964579
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 191:287:1120:54-99-63-6E-A8-63 recv 1593768636.8184 - resp 1593768636.8786
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 192:287:1120:54-99-63-6E-A8-63 recv 1593768636.54485 - resp 1593768636.54940
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 193:287:1120:54-99-63-6E-A8-63 recv 1593768636.100298 - resp 1593768636.100676
2020-07-03 04:31:27,040	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 194:287:300:54-99-63-6E-A8-63 recv 1593768636.146052 - resp 1593768636.146472

 

Edit: I had the same problem. Was a problem with Jumbo frames not being allowed on the MGMT VLAN for the Core switch where my test switch was connected to.


------------------------------
Rikard Berg
------------------------------

Original Message:
Sent: Jul 06, 2020 05:20 PM
From: Jake Briggs
Subject: Clearpass Authentication TimeOut

 

Time Message

2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R07e74a6e-02-5efefabb, state - AJ0A9QBiAFRpR7wkhIm2wYsBikLNvg+JNWahNg=
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 186:276:88:54-99-63-6E-A8-63 recv 1593768635.740301 - resp 1593768635.747602
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 187:442:1124:54-99-63-6E-A8-63 recv 1593768635.820131 - resp 1593768635.825175
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 188:287:1120:54-99-63-6E-A8-63 recv 1593768635.872398 - resp 1593768635.873006
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:287:1120:54-99-63-6E-A8-63 recv 1593768635.918090 - resp 1593768635.918799
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 190:287:1120:54-99-63-6E-A8-63 recv 1593768635.964035 - resp 1593768635.964579
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 191:287:1120:54-99-63-6E-A8-63 recv 1593768636.8184 - resp 1593768636.8786
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 192:287:1120:54-99-63-6E-A8-63 recv 1593768636.54485 - resp 1593768636.54940
2020-07-03 04:31:27,039	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 193:287:1120:54-99-63-6E-A8-63 recv 1593768636.100298 - resp 1593768636.100676
2020-07-03 04:31:27,040	[main SessId R07e74a6e-02-5efefabb] ERROR RadiusServer.Radius - reqst_clean_list: Packet 194:287:300:54-99-63-6E-A8-63 recv 1593768636.146052 - resp 1593768636.146472