Security

Hello,

I set corporate wireless network using personal certificates. The authentication works, but only on second login. The process is:

I connect PC with WIN10 to wireless network and enter the password for personal certificate stored in computer. In PC I get message: cannot connect to network. So when do it again - connect to wifi and than enter password, connection is allowed and everythink works fine. After disconnection it behaves the same way.

In access tracker in Clearpass for first connection I get message Time out and in detail for radius request is Client did not complete EAP transaction. The second request is autorized correctly. 

Any idea how to solve it, please?

We work with Aruba controler 7200 with AOS 8.3.0.7 and Clearpass 6.8

It is certificate stored in chip card, to access it I need enter own password. So when I connect the wifi network I'm prompted for this password. As I wrote earlier, it works, but always on second connection, the first one is dropped and in CPM I see timeout

KamiB,

Does the local machine Trust the CA that issued the ClearPass Radius Certificate?  If not, and even the first time, the user must click on "Accept" to accept the certificate while authenticating the first time.  If the user is not quick enough the first time, the authentication will be dropped and retried.  You might be able to avoid this by importing the CA that issued the Clearpass Certificate onto your clients.

Clearpass certificate is already imported in local computer. There is no request for consent. I just see "check network requirements" and than "cannot connect to this network" during first connection. During second connection there is "check network requirements" and then "connected"

I would look into the full logs in the Access Tracker for a clue.

Included.

Thanks,

Kami

Attachment(s)

Allowed access.txt   21 KB 1 version

Denied access.txt   16 KB 1 version

It would seem that in the "Denied", the client does not respond to the access challenge in time, while in the "Accept" the client does respond with a certificate.  Does the client have "Validate Server Certificate" enabled?

Yes, it is enabled. I tried to disable it or remove certificate from computer and than I'm asked to approve radius server certificate. So the problem is probably not in the certificate. 

I know, that during the first connection the data from certificate are not sent to CPM, but I don't know why. From user point of view both connections are the same, only diference is first is denied and second accepted

You mentioned before on the client certificate: "It is certificate stored in chip card, to access it I need enter own password.".

There should be no (significant) delays during the authentication. Could it be that the authentication times out on the waiting time to enter the password to unlock the client certificate in the chip card? Can you disable the PIN/password (temporarily) or get the certificate imported in your computer instead of in the chip card? 

No, unfortunatelly I can not disable PIN on smart card neither import certificate, it is global company policy 

Can you verify if it is the chip PIN that is causing the issue? For example by unlocking your card first for another application that uses the same certificate? Or if that is not possible, be ready to enter the PIN as quick as possible to see if that allows to be within the timeout. I think it is important to find the source/root cause of the issue before you can find a solution.

Also, please note that in general it is not recommended to put a network client certificate on a smart card, if that smart card is not always available. If the card is also used to open doors and get in/out the building, as soon as you remove the card there will be no network authentication possible which may result in all kinds of issues with laptops not updating, not getting group policies, remote management, etc.

I researched in detail the behavior during connecting again. On the very first connection, when the computer has never been connected, everything goes as it should - after entering password for smard card certificate, computer is allowed to connect the network. When I disconnect it and immediately reconnect, it is still OK. The problem occurs when trying to connect after a long disconnection when the user is forgotten in the controller or manually deleted from controler. Than it behaves as I wrote at the beginning: first connection is refused because of timeout and the second one is accepted.