Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

[MacOS 10.14b6] Client did not complete EAP transaction

This thread has been viewed 10 times

  • 1.  [MacOS 10.14b6] Client did not complete EAP transaction

    Posted Aug 14, 2018 05:26 PM

    Hello all, brand new to ClearPass here, and I have been having a great time learning from training and the posts here.

     

    I am having some issues with Macs and how they are connecting to ClearPass in my tests. I was hoping to have this ironed out by the end of the month so I could move ClearPass into production. 

     

    I am getting these Timeout errors that alert me that the client did not complete the EAP trasnaction. This doesn't happen for every device, and at this point it only happens on Macs. I know this particular instance is on a beta version, which may be the issue. But I will still go ahead with posting this, as I would like to see if anyone else has had similar issues.

     

    I do have a valid cert signed by Comodo, and it works on every other device. Has anyone else seen this behavior or know of a way to solve it?

     

    Thank you for any input!

     

    Below is a log if it helps out anyone:

     

    2018-08-14 15:58:23,329[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 170:288:3c-15-c2-b8-df-62
    2018-08-14 15:58:23,333[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - Service Categorization time = 4 ms
    2018-08-14 15:58:23,333[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "Cisco 802.1X Wireless Service"
    2018-08-14 15:58:23,333[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_ldap: searching for user dwenger5 in AD:172.30.5.10
    2018-08-14 15:58:23,333[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-904 h=223 r=R0000018d-01-5b73426f] INFO Core.ServiceReqHandler - Service classification result = Cisco 802.1X Wireless Service
    2018-08-14 15:58:23,334[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_ldap: found user dwenger5 in AD:172.30.5.10
    2018-08-14 15:58:23,334[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - LDAP/AD User lookup time = 1 ms
    2018-08-14 15:58:23,334[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_eap_peap: Initiate
    2018-08-14 15:58:23,334[Th 40 Req 4137 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 170:88:3c-15-c2-b8-df-62:ACYAdgADABwpEAAARb/97+cgR/Zs0VKnh1iFsA==
    2018-08-14 15:58:23,342[Th 33 Req 4138 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Cisco 802.1X Wireless Service" - 171:478:3c-15-c2-b8-df-62
    2018-08-14 15:58:23,344[Th 33 Req 4138 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2018-08-14 15:58:23,344[Th 33 Req 4138 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
    2018-08-14 15:58:23,344[Th 33 Req 4138 SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 171:1124:3c-15-c2-b8-df-62:ALMANwDKAOsqEAAAn2S3IBevflCbC1Hl6yCxCg==
    2018-08-14 15:59:14,392[main SessId R0000018d-01-5b73426f] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R0000018d-01-5b73426f, state - ALMANwDKAOsqEAAAn2S3IBevflCbC1Hl6yCxCg=
    2018-08-14 15:59:14,393[main SessId R0000018d-01-5b73426f] ERROR RadiusServer.Radius - reqst_clean_list: Packet 170:288:88:3c-15-c2-b8-df-62 recv 1534280303.329607 - resp 1534280303.334912
    2018-08-14 15:59:14,393[main SessId R0000018d-01-5b73426f] ERROR RadiusServer.Radius - reqst_clean_list: Packet 171:478:1124:3c-15-c2-b8-df-62 recv 1534280303.342298 - resp 1534280303.344421
    2018-08-14 15:59:14,393[main SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 3c15c2b8df62
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2018-08-14 15:59:14,395[RequestHandler-1-0x7f3cc8fe7700 r=psauto-1533056969-906 h=239 r=R0000018d-01-5b73426f] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2018-08-14 15:59:14,396[RequestHandler-1-0x7f3cc8fe7700 h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2018-08-14 15:59:14,396[RequestHandler-1-0x7f3cc8fe7700 h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
    2018-08-14 15:59:14,396[RequestHandler-1-0x7f3cc8fe7700 h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
    2018-08-14 15:59:14,396[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2018-08-14 15:59:14,398[AuthReqThreadPool-25-0x7f3d931f8700 r=R0000018d-01-5b73426f h=74] ERROR ExtDB.DBQuery - ResultSet is empty
    2018-08-14 15:59:14,398[AuthReqThreadPool-25-0x7f3d931f8700 r=R0000018d-01-5b73426f h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Category, Device Name]
    2018-08-14 15:59:14,399[RequestHandler-1-0x7f3cc8fe7700 h=7795 c=R0000018d-01-5b73426f] INFO Core.PETaskRoleMapping - Roles: EAP-PEAP
    2018-08-14 15:59:14,399[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
    2018-08-14 15:59:14,399[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
    2018-08-14 15:59:14,400[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7797 c=R0000018d-01-5b73426f] ERROR Core.PETaskPolicyResult - handleHttpResponseEv: All policy result cache lookups failed
    2018-08-14 15:59:14,400[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
    2018-08-14 15:59:14,400[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 h=7798 c=R0000018d-01-5b73426f] INFO Core.PETaskEnforcement - EnfProfiles: Cisco Wireless Location Update, Update Endpoint Known], Cisco Onboarding VLAN182
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
    2018-08-14 15:59:14,401[RequestHandler-1-0x7f3cc8fe7700 h=7804 c=R0000018d-01-5b73426f] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7801 c=R0000018d-01-5b73426f] WARN Common.AppEnfProfileTable - getAppType: Failed for id=3004
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7801 c=R0000018d-01-5b73426f] WARN Common.AppEnfProfileTable - getAppType: Failed for id=51
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7799 c=R0000018d-01-5b73426f] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7799 c=R0000018d-01-5b73426f] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Cisco Onboarding VLAN182
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7799 c=R0000018d-01-5b73426f] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 10800
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
    2018-08-14 15:59:14,402[RequestHandler-1-0x7f3cc8fe7700 h=7805 c=R0000018d-01-5b73426f] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - Post auth enforcement profiles used: Cisco Wireless Location Update, Update Endpoint Known]
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - UnknownAutzParams to fetch for PostAuthEnfProfiles: :
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - UnknownNAutzParams to fetch for PostAuthEnfProfiles: : Radius:IETF:Calling-Station-Id, Radius:IETF:NAS-IP-Address
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - Discarding attr name=Endpoint:Last Known Location|attr value=172.30.11.90:3c-15-c2-b8-df-62 as the entity = 3c15c2b8df62 already possesses this value
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 3c15c2b8df62
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - Discarding attr name=Status-Update:Endpoint|attr value=Known as the entity = 3c15c2b8df62 already possesses this value
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthHTTPRequest: Sending PostAuthEnfRequest {"content":{"auth_source_id":0,"mac_address":"3c15c2b8df62","nas_ip":"172.30.11.90","post_auth_actions":{"enf_profile_name":"Cisco Wireless Location Update","enf_profile_type":"EntityUpdate","params":null},{"enf_profile_name":"Update Endpoint Known]","enf_profile_type":"EntityUpdate","params":null}],"user_id":"dwenger5"},"id":"R0000018b-01-5b733d66","name":"pactrl_enf_request"}
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7803 c=R0000018d-01-5b73426f] INFO Core.PETaskPostAuthEnfProfileBuilder - sendPostAuthResponse: Done sending the PostAuthEnfRequest
    2018-08-14 15:59:14,403[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7800 c=R0000018d-01-5b73426f] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
    2018-08-14 15:59:14,404[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
    2018-08-14 15:59:14,407[RequestHandler-1-0x7f3cc8fe7700 h=7807 c=R0000018d-01-5b73426f] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2018-08-14 15:59:14,407[RequestHandler-1-0x7f3cc8fe7700 h=7807 c=R0000018d-01-5b73426f] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2018-08-14 15:59:14,407[RequestHandler-1-0x7f3cc8fe7700 h=7806 c=R0000018d-01-5b73426f] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2018-08-14 15:59:14,408[main SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - Policy Evaluation time = 15 ms
    2018-08-14 15:59:14,408[main SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2018-08-14 15:59:14,408[main SessId R0000018d-01-5b73426f] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2018-08-14 15:59:14,408[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
    2018-08-14 15:59:14,408[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
    2018-08-14 15:59:14,408[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
    2018-08-14 15:59:14,408[RequestHandler-1-0x7f3cc8fe7700 r=R0000018d-01-5b73426f h=7793 c=R0000018d-01-5b73426f] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

     

     


  • 2.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    EMPLOYEE
    Posted Aug 15, 2018 12:02 AM
    How is the supplicant being managed?
    Is the EAP server cert chained correctly?


  • 3.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    Posted Aug 17, 2018 09:26 AM

    The supplicants are managed through Jamf software. And what exactly do you mean by "chained correctly" when it comes to the EAP cert? Sorry, I'm still trying to wrap my head around certs.



  • 4.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    EMPLOYEE
    Posted Aug 17, 2018 09:29 AM
    The server cert needs to have both the leaf and intermediate.


  • 5.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    Posted Aug 17, 2018 10:06 AM

    Yes, everything seems to be correct. Under my server certificates tab, I have 4 entries. The first one with the CN, OU, O, etc with my organization's info and domain names of the clearpass server (we have two nodes in a cluster). The I have two Intermediate CAs with Comodo's info, and one root CA with "CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE"



  • 6.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    EMPLOYEE
    Posted Aug 17, 2018 10:12 AM
    The root CA should not be present.

    Also, be sure you’re using the same EAP server certificate on all EAP server nodes.


  • 7.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    Posted Aug 17, 2018 11:54 AM

    It is the same on both nodes. Is there a way to remove the Root CA? Or will it still function if it is present?



  • 8.  RE: [MacOS 10.14b6] Client did not complete EAP transaction

    Posted Nov 14, 2018 07:47 AM

    Sorry to bump this, but I'm investigating MacOS and alleged disconnects from the wireless network. Then I came across this thread.

     

    Are you saying that ClearPass should not include the root ca in the chain when presenting itself during the EAP transaction?

     

    Under "Administration -> Certificate Store" I'm used to see the following

     

    Server Certificate:

    Intermediate CA:

    Certificate Root CA Certificate:

     

    When Root CA is present here I believe ClearPass is including it in the server hello presented to the client.