Security

Reply
Occasional Contributor II

Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Hoping someone can assist as I'm striking out with TAC on this issue.

We have Win10 machines with full credential guard enabled so we have to naturally use EAP-TLS for these workstations to authenticate properly.

Currently I have about 20 machines on the network in this fashion so far and when one of these machines "LEAVE THE NETWORK" for approx 48 hrs when they come back and authenticate there is a VERY good chance they will TIMEOUT and fail to logon correctly.

 

Access Tracker details Include :


Login Status : TIMEOUT
Alerts Tab : Client did not complete EAP Transaction
Error code : 9002

 

Some information of our enviroment :

 

- We have an internal certificate authority and I have confirmed we have imported the Root, Intermediate, and server certificates for both issuers to our CPPM.
- I have confirmed in the trust list both servers are added and "enabled"
- The CN is also added to the trust list and also "enabled"

We have catured wireshark captures on the CPPM as well as debug logs, in addition to the switch uplink port wireshark captures. following the trace on the packets it appears the server stops asking and the switch stops providing although no outright error to go off.

 

We have attempted to resolve with the following changes :

 

1. For our EAP-TLS Method we REMOVED "Authorization Required", Session Resumption is still 'enabled'
2. disabled the switch server dead time
3. Adjusted "aaa authentication num-attempts 1" instead of 2
4. Adjusted the MTU size for EAP-TLS packets on CPPM to 1374 instead of default 1024
5. Confirmed our workstations have the Computer Cert required, and is indeed provided by the right issuer (via GPO) and no duplicates exist.

 
CPPM and Switch firmware version :

 

Currently running Clearpass version : 6.6.9.102777
HP 3800 Switch on version : KA.16.04.0009
HP 5406 switch on version : K.16.02.0022m

 

Any help or suggestions on what else to try would be greatly appreciated.

Thanks!

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Drivers up to date?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Issue has occured on HP Laptops as well as Microsoft Surface tablets (all wired).  We have confirmed the latest HP drivers are up to date, I will need to confirm on the surface tablet though.

 

Is there a possability that a clearpass upgrade to 6.7 would also help although TAC has not suggested that either?

 

I should also add, once the workstation has authenticated properly (sometimes a few restarts, sometimes a port disable / enable on the switch) it works correctly every single day until it leaves the network for 48 hrs or so approx.

 

In some cases, just leaving the effected machine connected to the network it will correct itself after 2 or 3 hours later that day.  And again, work fine going forward until a interuption occurs like taking the machine home on the weekend etc.

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Do you have a packet capture from the device when it's occuring?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Yes, the latest capture includes CPPM in debug mode, packet capture, as well as a pcap on the switch.  

Do you have access to the TAC case # for the pcaps supplied and/or technition i've been working with?  My decision to post here is obviously due to your knowledge on the product and recommendation from Dennis Boas when I was at HP discover.

 

Current captures are for ticket #5331977160 but I can resend if needed, (2) files roughly 180 meg in size each.

Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

@

 

I've heard back from TAC and they replicated the issue in the LAB and confirmed with Win10 running Credential Guard (Configured and Running) it blocks the MSCHAPv2 reply from the client that clearpass is expecting.  Hence the Timeout.


So this leaves me in an interesting situation. 

 

With Credential Guard on, i'm forced to do EAP-TLS Machine Authentication, but the protocol used in the handshake (MSChapv2) is blocked by credential guard.  Is this a bug or an oversite?

 

How does one successfully run 802.1x with EAP-TLS machine authentication while also running Credential Guard on a win10 machine with credential guard Configured AND Running?

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

EAP-TLS does not use EAP-MSCHAPv2.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

That's what is catching me off guard as well.  Here is the reply from TAC, possible miss type?

 

[quote]

 

We have replicate the issue  in our lab server and could successfully reproduced the issue.

You were correct in saying that the issue occurs only on Windows 10 Enterprise clients enabled with Credential guard.

Whenever credential guard is enable and is running on a client it fails 802.1x authentication.

We took packet capture and found  that 1st  phase of authentication gets successful ( EAP-PEAP the outer method).

During 2nd  phase of authentication i.e  (mschapV2), CPPM sends access challenge  for password but receives no response from the client and hence times out.

It seems that credential guard is blocking the response of machapV2.

Below are the images attached of packet capture for failing authentication:Example 1.PNG

This is the part that confuses me.  Labeling Phase 2 of the authentication as MSchapV2

Example 2.PNGExample 3.PNG

Guru Elite

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Make sure the supplicant is configured for EAP-TLS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

My appologies, I'm getting the sense the TAC Engineer never did LAB his client properly to begin with.

 

Thanks Tim, will keep you posted.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: