Wireless Access

Hi all,

We are encountering a strange problem in one of our buildings. The building has IAP225 (about 20) in a cluster. Clearpass is configured.

With a latest generation ipad mini, we try to connect to a EAP-PEAP enabled SSID. We use a username and password. Clearpass verifies the credentials and returns the VLAN name to the IAP virtual controller.

This works, the ipad is placed in the correct subnet and can work. However, it seems (?) while walking around (roaming) something goes wrong. (this is an educated guess)

The ipad tries to connect to the SSID, it takes a long time, and after a while returns an error stating the password was wrong. The password was definently not wrong. In clearpass, when checking the access tracker, we see a time-out (please see below).

When the ipad doesn't move around in the building, the problem doesn't occur... Any ideas on what might cause this? OKC is enabled.

Error Code: 
9002
Error Category: 
RADIUS protocol
Error Message: 
Request timed out
 Alerts for this Request 
RADIUS Client did not complete EAP transaction

Error Code: 
9002
Error Category: 
RADIUS protocol
Error Message: 
Request timed out
 Alerts for this Request 
RADIUS Client did not complete EAP transaction

Question:  Did you recently change the radius server certificate on ClearPass?

Yes, not that long ago, why?

That message typically occurs when a device that has been connecting has not "accepted" the new radius server certificate.  If you can Forget the wireless network and rejoin and accept the certificate, that might rule that out.

While connecting the ipad asks to trust the certificate of the clearpass server. We have always accepted. 

Does it ask you to trust it every time?

Yes it does!

But it did not do that before you changed server certificates?

Thanks for your help!

In fact, the first time we tried to connect the ipad was AFTER we changed the certificates. But indeed, it seems it keeps asking to trust the clearpass certificate.