Security

Reply
Super Contributor II

Re: EAP-TLS session resumption issues

After lots of testing, it seems there is something buggy about windows 7 EAP supplicant. In all of my test cases, the Windows client always starts an EAP-TLS session by sending a Client Hello TLS Message containing a session ID. When the server replies without a session ID, the RFC states that the client is supposed to establish a new session. There are multiple extensions to the EAP-TLS RFC's that suggest that a client can choose to terminate the session if a server is not capable of session resumption. This seems to be happening however Windows 7 doesn't generate the necessary SSL alerts in this case. I'm still at a loss as to why Windows 7 always tries to resume a session during 802.1x authentication. MAC OSX and Cisco IP Phone do no exhibit this behavior. In the end we have decided to enable Session Resumption on ClearPass. We are still awaiting testing from Aruba engineering to determine if there is anything wrong with the EAP exchanges with this feature disabled.
Highlighted
Super Contributor II

Re: EAP-TLS session resumption issues

Aruba TAC has confirmed this behaviour. Windows 7 for some reason will always send a session ID in an EAP-TLS request and in the event that the server does not support resumption, will terminate the session and restart a new request with no session ID. This shows us as a "Client did not complete EAP" log on access tracker and will be recorded as a timeout. This can be overcome by enabling Session Resumption in the EAP-TLS method.
New Contributor

Re: EAP-TLS session resumption issues

Hi, I am also facing this issue, but even i set EAP-TLS Session Resumption enabled, but still after the NAD(switch timeout 5minutes), then the session cannot resumpt.

My case is in front of PC there is one LLDP-MED voip-phone connected to switch.

if without voip-phone, I do not face this problem. 

New Contributor

Re: EAP-TLS session resumption issues

i  did one more test scenorio.

remove the voip phone, and insert one switch, then wait for switch timeout 5minutes, do a plugin cable again, it shows no EAP-TLS authentication timeout, straightly the PC can get IP and authenticated.

So I suspect the voip phone cause the TLSv1.2 handshake from PC(client hello) not successfully send out.

the packet capture shows PC not send out client hello, but root cause could be related with voip phone.

Guru Elite

Re: EAP-TLS session resumption issues

Guo Gang - Please open up a TAC case.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: