Security

We are getting a high amount of RADIUS Timeouts, but not on all IAPs(?!)

 

Authentication is through CLEARPASS

 

Test device is a Surface running Windows 10

 

When connecting to AP1 (which is a VC) - the authentication request in Airwave is ACCEPT

Authentication Method: EAP-PEAP,EAP-MSCHAPv2

Authentication Source: AD:dc1.our.domain.com

 

When connecting to AP2 - autentication request in Airwave is TIMEOUT

Authentication Method: EAP

Authentication Source: None

 

Error Code: 9002

RADIUS Client did not complete EAP transaction

 

APs are the same model - Aruba AP 325

Firmware/image is the same

VLANs on respective switches are the same

Dynamic Proxy is enabled for RADIUS and TACACS

 

Other posts regarding this error seem to indicate a certificate issue, however this connection works fine on one AP and not another - so I think we can safely assume the certificate is valid.

 

 

With regards to the 9002, that often happens when you have recently changed the radius server certificate and a human is not there to click on "accept" to the new cert on some clients.  It might not be your situation, but it is one of the situations.

Thanks for the response, but it doesn't appear to be the case in this instance.

How many ClearPass servers are there in your environment? Just one, or are there others?

We have one ClearPass server and domain controller (NPS) as the secondary authentication server.

Is the same Radius certificate installed on both servers (ClearPass and NPS)?

No the certificates are different

Please make sure that the client is accepting both certificates.
Preferably you should use the same authentication backend and certificates for your primary and secondary authentication server.

Like already mentioned it looks like the client isn't accepting the server side certificate.

The Root CA Certificate is the same on Airwave and the DC. The RADIUS/EAP Server Certificate was issued by our DC. 

Did you ever find a solution for this?