Security

hello,

when i connect a eap-tls user with windows 8 client the client wont connect but the radius logs shows that the user has be authenticated.

with peap it works fine only with tls it dosent.

on windows 7 / xp and other clients all works fine.

is there something specific to windows 8 that i need to be aware of ?

thanks.

There are many reasons why this could happen.

On the commandline of the Aruba Controller, type "show auth-tracebuf mac <mac address of client>" to see the radius exchanges between the client and the radius server.

ok i will check but is there something know about EAP-TLS?

It should work.  Has it ever worked?  How do you distribute the certificate to the client?

i workes with windows 7, same user same certificate in the same local store, only diffrence is the windows version.

both are in the domain.

If the radius server accepts it, you should type "show auth-tracebuf mac <mac address of client>" on the commandline of the controller to see why it is possibly not working.

same result as in the clearpass - radius accept.

very strange.

Feb  4 13:08:26  eap-id-req            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   5
Feb  4 13:08:26  eap-id-resp           ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   29    bllalala@blllaaa.com
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            92  226
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  92  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   109
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  336
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  538
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   466
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   1492
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  1729
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   584
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  815
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  233
Feb  4 13:08:26  rad-accept            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  265
Feb  4 13:08:26  eap-success           <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  4
Feb  4 13:08:26  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:27  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:28  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:29  station-down           *  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   -

---

@shpapy wrote:

same result as in the clearpass - radius accept.

very strange.

Feb  4 13:08:26  eap-id-req            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   5
Feb  4 13:08:26  eap-id-resp           ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            3   29    bllalala@blllaaa.com
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            92  226
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  92  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            4   109
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  336
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  93  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            5   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  94  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            6   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  96  1108
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   1030
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            7   6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  233
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  97  538
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   466
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            8   1492
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  1729
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  95  76
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   6
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            9   584
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  815
Feb  4 13:08:26  rad-resp              <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  98  1112
Feb  4 13:08:26  eap-req               <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  1034
Feb  4 13:08:26  eap-resp              ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  6
Feb  4 13:08:26  rad-req               ->  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  233
Feb  4 13:08:26  rad-accept            <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68/idcsrv309  99  265
Feb  4 13:08:26  eap-success           <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            10  4
Feb  4 13:08:26  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:27  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:28  wpa2-key1             <-  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   117
Feb  4 13:08:29  station-down           *  ec:55:f9:5e:1d:ca  d8:c7:c8:ec:ce:68            -   -

---

For some reason, your client is not completing the key exchange.  The last 4 lines of the conversation should look like this:

May 12 00:56:22 wpa2-key1 <- 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 117
May 12 00:56:22 wpa2-key2 -> 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 135
May 12 00:56:22 wpa2-key3 <- 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 151
May 12 00:56:22 wpa2-key4 -> 00:15:00:da:be:ef 00:0b:86:da:ca:fe - 95

What is the wireless adapter and driver of your card?

its a dell half card on windows 8 with regular drivers.

i will try older drivers now.

After successful 802.1X authentication, the client will initiate its DHCP request.   Since you say it works with Windows 7, it sounds as though you have your VLANs and DHCP working.   Any chance that Windows 8 client has a static IP set on its wireless NIC?  

Two things to try/troubleshoot:

1) Try connecting this Windows 8 system using PEAP-MSCHAPv2 and see if it can get in that way.    

2) Connect it to another network (Open or PSK).   When you see the client in the user table, select it and choose "debug".  While debugging, have the client connect to the 802.1X network using EAP-TLS and post the resulting logs.

1) Try connecting this Windows 8 system using PEAP-MSCHAPv2 and see if it can get in that way.    -->working fine using ad credentials only.

2) Connect it to another network (Open or PSK).   -->working fine with our guest network i will see about the logs.

the card is broadcom from a dell latitude E6520  

BCM43X

driver date 13.3.2012

driver version 5.100.245.20

i tried several other drivers as well.

Please set ras tracing on if that Windows 8 device will let you like the KB article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-77

Collect the logs and see if it gives you a clue as to what is happening on the client.

i will try now to enable the logs and what is going on.

thanks.

the main thing that i see is eaptls no exensions are availble.

does it mean something?

thanks.

Can you confirm the certificate has the key usage "Client Authentication"

yes the certificate is o.k (tested it on windows 7 machine)

im using

1.3.6.1.5.5.7.3.2

 the exact error tls extensions tags are not present. this comes from the file rastls.log.

i have installed 3 new windows 8 machines; all have the same problem.

seems like something specific with windows 8 since the SAME certificate works on windows xp/7 with the same combination of user\pass.

any ideas will be aprichiated.

the client trace give all the time flags of LM i dont understand why the messege is been fragmented.

in windows 7 its not

quick update on the case in case some1 is intrested.

Yesterday we had a visit from Aruba NL SE in our offices; He provided some additional devices to check the issue with windows 8. The following tests were made.

1. Replace AP-105 with instant ap to mitigate AP issue àfailed; result is the same windows 8 client cannot connect.
2. Import new root ca \ create new user ca via onboard on our production environment (these CA’s were provided by Aruba NL and were tested before with windows 8) to mitigate certificate problem àfailed ; result is the same.
3. Import our root ca into Aruba.nl CPPM to mitigate certificate problem àfailed; result is the same windows 8 client cannot connect.
4. Changing AP-105 from Bridge to tunnel àfailed; result is the same.
5. Using a different test CPPM version 6.0.2 (Aruba.nl) with our certificates works fine but the controller version used was higher. We checked the release notes and couldn’t find anything related to eap-tls in the notes therefor we don’t think the controller requires and upgrade. I will setup next week a new CPPM machine and re-test.