Security

<os issues>

<os issues>

<os issues>

We're also seen this issue as we're starting to implement Clearpass. Our customer doesn't yet have proper PKI in place, so I'm wondering if we could maybe use EAP-TTLS in the mean time? I remember that required only the server to have proper certificates?

Hi!

We are having a similar issue, but only on one site. Running 802.1x (EAP-TLS) on aruba switches.

Same client works on other sites. So I figured it was latancy or dropped packets, but it's a pretty good connection with 25ms latency. 

My packet captures show pretty much the same as yours, the client never provides it's cert. Client does ACK all the servers fragmented packets.

If you find any solutions for your problems please post :), will certanly do the same. 

Running win10 and Clearpass 6.7.3

<os issues>

Hey guys,

This is a long shot but I had a EAP timeout problem with my client in the office. No one else had this problem though.

Anyways I solved it by saying to my computer to use TLS 1.0 via editing a regfile.

I followed this guide:

https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment

And set the DWORD value to 0xC0.

Hi!

Yeah I've tried that reg-entry also, didn't help me sadly.

Might help some one else here maybe.

My problem is very strange since the client does work on our main site but not on this other site. Wifi at the other site works fine tough, only getting timeout on wired 802.1x

Will check what version of OS the client is running and post.

<os issues>

I'm on 1803 with all the latest patches(including october cumultative) and I'm still having the issue, the only difference is that it seems to be affecting mostly computers that have auto windows login enabled, all my other computers have succesfull machine auth when they get to the windows login prompt, however for the ones that log in automatically to windows I either get a timeout on clearpass or even no machine auth attempt at all, it's like the client doesn't have enough time to initiate or complete the EAP transaction when autologin is enabled

<os issues>

Hi!

In our case I discovered that the management vlan (source ip for radius on the switch) had jumbo frames enabled. I disabled jumbo frames and it started working right away.

Logical because it would affect the frames, but strange since I saw all packets arriving at the client but client never responded with Client cert. Only identity.

So I guess double check that the frames arn't affected in transport someway is a tip.

Hi,

I have the same issue, I try to change configuration of the TLS version on regedit and is similar.

I try to authenticate with eap-peap and working fine.

The CPPM Policy working fine with other sites, the difference is that this site contact CPPM server using IPSEC tunnel between PaloAlto and Fortigate, the other sites has IPSEC tunnel between Fortigates firewall.

Any idea?

Thanks
Regards

It might be a packet fragment issue if it only affects that site.

Check if palo alto firewall allows fragment packets through the vpn.

https://community.cisco.com/t5/policy-and-access/ise-2-3-1-fragmentation-issue-eap-tls/td-p/3303539

HI @VINCE00

I would like to know if there a solution to your issue. I have the same...

Many thanks

<OS issues>

I Have the same problem, but ocasionaly, in different geographics and in specific rooms - we are using 802.1x and the EAP-TLS don't finish the authentication. 

We are still trying to catch logs from switch to radius to see what is going on.

Meanwhile the workaround finded are various, shutdown to the docking stations, remove cable from network interface and plug it again, remove cable from network interface and do the 802.1x authentication in wireless mode and back to calbe again, so we believe this is a driver bug on the interface network