Security

Reply
New Contributor

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

I'm on 1803 with all the latest patches(including october cumultative) and I'm still having the issue, the only difference is that it seems to be affecting mostly computers that have auto windows login enabled, all my other computers have succesfull machine auth when they get to the windows login prompt, however for the ones that log in automatically to windows I either get a timeout on clearpass or even no machine auth attempt at all, it's like the client doesn't have enough time to initiate or complete the EAP transaction when autologin is enabled

Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Update for everyone on this issue.

 

Working with Microsoft it appears the issue may be fixed as of Win10 1709 build 755.  We updated 6 machines and tested after being off network all weekend and had zero issues with any of the pc's on the 755 build.  Once machine failed and sure enough was on a previous release (724).  

 

We are quite hopeful this issue (in our case) is no longer a problem with 755 and future versions.

 

Good luck, would be interested to see if it also works for you.

 

Removing the above update as a further update to the full release of 755 (build 785) showed the problem again.

We are not testing a registry edit to disable the revocation check as Microsoft found an issue on that front in the latest trace files we provided.

 

Will update further next week as we should see if it works or not come Monday again.

Frequent Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Hi!

 

In our case I discovered that the management vlan (source ip for radius on the switch) had jumbo frames enabled. I disabled jumbo frames and it started working right away.

Logical because it would affect the frames, but strange since I saw all packets arriving at the client but client never responded with Client cert. Only identity.

 

So I guess double check that the frames arn't affected in transport someway is a tip.


ACMP | ACCP
Highlighted
Occasional Contributor I

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Hi,


I have the same issue, I try to change configuration of the TLS version on regedit and is similar.

I try to authenticate with eap-peap and working fine.

The CPPM Policy working fine with other sites, the difference is that this site contact CPPM server using IPSEC tunnel between PaloAlto and Fortigate, the other sites has IPSEC tunnel between Fortigates firewall.

Any idea?

Thanks
Regards

Frequent Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

It might be a packet fragment issue if it only affects that site.

 

Check if palo alto firewall allows fragment packets through the vpn.

 

https://community.cisco.com/t5/policy-and-access/ise-2-3-1-fragmentation-issue-eap-tls/td-p/3303539

 

 


ACMP | ACCP
Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

HI @VINCE00

 

I would like to know if there a solution to your issue. I have the same...

 

Many thanks

Occasional Contributor II

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Sorry I should of updated again sooner on a thread that others would see the same concerns with.

 

All issues were resolved after moving to later version of Win10, the biggest issues were due to the earlier builds of win10 it appears, after version 1803 and later we started to see more of a delayed slow logon then a flat out failure to connect.

 

As of now on builds such as 1803 build 17134.765 and a number of prior releases we have not had any problems.

 

We also confirmed the Machine Authentication cache timeout was set at the default "24 hrs"

 

Lastly we added the following registry edit which may also helped in most cases :


Add the following registry key, and set it to value 1:

 

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13

 

ValueName: NoRevocationCheck

 

Type: REG_DWORD

 

Value: 1

 

Hope that helps, we have not had issues for a good time now.  I'm curious if your win10 deployment is also on older releases or fairly recent updates?

Occasional Contributor I

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

Hello,
I have already solved my problem, I finally assembled a model replicating the same scenario with the same equipment and discovered that the failure was in the operator's ONT, when it establishes the IPSEC tunnel through a specific ONT model it must go down a bit the MTU and must affect the traffic that goes inside the IPSEC, it was to change the operator's ONT and everything works correctly for me.
Now I have another problem similar but not the same, in my scenario I have 2 CPPM and the other day we simulated the fall of the principal, which was our surprise, the EAP-TLS authentications that went to the susbcriber gave timeout, we have limited the failure in the switch ( 2930M) by having two Radius servers configured since if we leave only one (regardless of which one) it works correctly. As a curiosity, if we use eap-peap it works correctly.
New Contributor

Re: Clearpass EAP-TLS Timeout _ Error code 9002 _ Client did not complete EAP Transaction

I Have the same problem, but ocasionaly, in different geographics and in specific rooms - we are using 802.1x and the EAP-TLS don't finish the authentication. 

 

We are still trying to catch logs from switch to radius to see what is going on.

 

Meanwhile the workaround finded are various, shutdown to the docking stations, remove cable from network interface and plug it again, remove cable from network interface and do the 802.1x authentication in wireless mode and back to calbe again, so we believe this is a driver bug on the interface network

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: