Security

We have Clearpass 6.3.1 and Aruba 7210 with 6.4 on it. We are starting to see these Timeouts more frequently in Clearpass. It is not completely stopping users from connecting, it just interupts their connection for what seems like a random amount of time. 

 

I saw a previous thread about this where the users were constantly receiving this Alert, but since mine doesn't seem to be happening all the time I am wondering if I have a setting somewhere that I'm missing. It would be helpful if someone could point me in the right direction to at least troubleshooting the issue. 

 

My first guess is this has to do with our Clearpass server still using the default Aruba cert. I have not had the chance to dig in and find pointers on switching to our GoDaddy cert. 

 

 

#7210

Timeouts are often seen for the following reasons:

• Client moves out of coverage area during EAP transaction
• Driver issues
• Certificate trust issues

We are thinking this is related to the RADIUS Cert not being trusted. 

 

How would you recomend overcoming trust issues? We have a Self Signed Cert for our RADIUS Cert, which obviously is not trusted everywhere. The majority of hosts that connect are not on our domain, so we cannot make it a Trusted CA by GPO, is there a preferred method for adding that trust quickly and/or without touching Every computer that has the issue?

 

Would it be best practice to get a certificate issued by GoDaddy (Who we use for our Wildcard Cert) for the fully qualified address of our clearpass server? 

 

Would changing that cert out make the clients that already connect have to accept the key? Even if it is a Trusted CA by default?

The issue is not the certificate, the issue is how the client handles the
certificate and trust chain . The only solution to use a supplicant
configuration utility like QuickConnect or XpressConnect or by using Group
Policy or Profile Manager to configure the clients automatically.

Also remember that windows does not accept a wildcard cert for .1x

So we have a self signed Cert on our Clearpass for the Radius cert. I can export this cert and install it on a Windows machine as a Trusted CA, Which works well for accepting the cert without popping up asking if the server is trusted on the client.

 

However, we are still seeing the same EAP Transaction error from the test clients. It seems to happen about every 10 minutes. This is happening on Win 7/8/8.1

 

Does Clearpass add the  id-kp-eapOverLAN  extension onto it's self signed certs? Is there a way to add it if not?

 

 

Sorry to double post but here is an update to the way I notice things happening. Generally if the computer is going to have an issue on this network connection it happens in the first few minutes of connection.

 

After that, it requires being idle for a longer period of time. Seems to be longer than about 45-50minutes. 

 

This makes me want to believe it is a client side issue, but I am not sure what I could possibly configure differently to mimimize this issue. 

 

I want to believe it is related to the self-signed cert.  However, these clients were all connecting fine using the previous self-signed cert. 

Have you tried the user-debug on the controller for the user that times-out?

Wow, I was just about to start a thread on this subject when I saw your post!

 

I am having an issue with onboarded MacBooks authenticating with EAP-TLS to ClearPass 6.3. This issue appears to be isolated to MacBooks running 10.8 and 10.9 - other onboarded devices (iPads, iPhones, Android) have not exhibited this issue.

 

The MacBooks are frequently failing to authenticate with EAP-TLS after being onboarded. ClearPass shows the authentication request as a timeout, giving the Error Code 9002 and the message "Client did not complete EAP transaction".

 

Packet capture shows that the initial EAP identity request and respone go through, the AP then sends the EAP-TLS/Start message and the MacBook does not respond with the TLS Client-Hello. Shortly after, the MacBook sends a disassociate frame. The frustrating thing is that often the MacBook will then immediately reassociate and perform a successful EAP-TLS authentication!

 

This is not the result of the client moving out range - the MacBook I was testing with was stationary and in the same room as the AP it was associated to.

 

This seems like it could be an issue with Apple's supplicant (would not be the first), but is rather inconsistant. Some MacBooks have the issue, others do not.

 

xdrewpjx,

I am having this issue not only with Macbooks but also Windows 8.1 clients. I do not Onboard though. I too noticed the same packet sequence happening though now that I've gotten a few test machines to behave similarly. 

 

It's possible that the Cert may be the issue because I am using the Aruba Cert that is untrusted. My issue seems to happen when I setup wifi profiles instead of just connecting to the wifi like normal. Or randomly with Mac's. 

 

 

 

Don't have any Windows 8.1 devices in this environment so I cannot speak to that.  I do know that they require the id-kp-eapOverLAN extension in the RADIUS server cert.  That could be your issue.  

 

In the case of the MacBooks I have observed, they never get far enough in the EAP process to recieve and validate the RADIUS server cert.  

Hi xdrewpjx,

 

I've actually seen a similar issue with a client using OSX. After much troubleshooting we found that it was the combination of having bluetooth connected and trying to associate to ClearPass using EAP-TLS. As soon as we disabled bluetooth on the MacBook Pro the client was able to connect.

 

 

Regards,

Chris

 

"Hi xdrewpjx,

 

I've actually seen a similar issue with a client using OSX. After much troubleshooting we found that it was the combination of having bluetooth connected and trying to associate to ClearPass using EAP-TLS. As soon as we disabled bluetooth on the MacBook Pro the client was able to connect."

 

 

I have the same problem. But i need the Bluetooth to be enabled.

did anybody figure this out? 

 

having this problem myself now with Windows 7 client,  Aruba OS and Cisco switches. CPPM 6.4.2

 

Initial packet fails (timeout on CPPM) but next auth succeeds. 

 

Scott

 

I cannot speak to Windows 7 issues, however I can provide an update to the issue with Macbooks.  

 

After working with Apple Support, we found that Mac clients which had been Onboarded (Single SSID onboarding) still had the PEAP credentials for the SSID in their Login keychain and that was causing an issue with the OS X supplicant.  Deleting the 802.1X password (PEAP credentials) from the keychain resolved the issue. 

 

 

we have a different issue then, my problem is with Win 7 and Cisco IP phone doing EAP-TLS. Will keep searching!

 

Scott

Please see the following link:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Onboard-Error-Message-for-Windows-8-1-ClearPass-6-3-1/m-p/152540/highlight/true#M11105