Wireless Access

last person joined: 10 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

windows 10 via won't connect

This thread has been viewed 3 times

  • 1.  windows 10 via won't connect

    Posted Apr 15, 2016 02:09 PM

    Hey all -

     

    Having issues with Windows 10 VIA not connecting to our VPN.

    Windows 10 64 bit

    VIA 2.3.2

    Clearpass server 6.4.7.74559

    Aruba Controller - 6.4.3.6

     

    Windows 7 clients connect fine - but have to use via version 2.1.1.5

     

    Not sure why it won't connect. From the client end - VIA just keeps prompting for the cert

     

    the Diagnostics tab shows

    via.PNG

     

    Clearpass log shows:


    Request log details for session: R00016e66-01-57111a10
    Time     Message
    2016-04-15 10:42:56,531     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 232:130:67.41.123.46
    2016-04-15 10:42:56,531     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - The attribute x.x.x.x does not contain MAC Address
    2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Service Categorization time = 4 ms
    2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "VIAVpn-TLS"
    2016-04-15 10:42:56,535     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: searching for user gurban in AD:rpco-dc04.rpcorp.local
    2016-04-15 10:42:56,535     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201617 h=79 r=R00016e66-01-57111a10] INFO Core.ServiceReqHandler - Service classification result = VIAVpn-TLS
    2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: found user gurban in AD:rpco-dc04.rpcorp.local
    2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - LDAP/AD User lookup time = 2 ms
    2016-04-15 10:42:56,537     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: authenticating "username"
    2016-04-15 10:42:56,540     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_ldap: user username authenticated succesfully
    2016-04-15 10:42:56,541     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2016-04-15 10:42:56,541     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - The attribute x.x.x.x does not contain MAC Address
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:Client-Mac-Address is not found
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2016-04-15 10:42:56,543     [RequestHandler-1-0x7f4b009e0700 r=psauto-1458101883-201618 h=83 r=R00016e66-01-57111a10] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
    2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
    2016-04-15 10:42:56,544     [RequestHandler-1-0x7f4b009e0700 h=1635816 c=R00016e66-01-57111a10] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2016-04-15 10:42:56,545     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{Onboard memberOf}), error=No values for param=Onboard memberOf
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{Onboard memberOf})
    2016-04-15 10:42:56,546     [AuthReqThreadPool-8-0x7f4b11639700 r=R00016e66-01-57111a10 h=25] WARN Ldap.LdapQuery - Failed to get value for attributes=HostName, OSServicePack, Onboard Groups, OperatingSystem]
    2016-04-15 10:42:56,547     [RequestHandler-1-0x7f4b009e0700 h=1635817 c=R00016e66-01-57111a10] INFO Core.PETaskRoleMapping - Roles: User Authenticated]
    2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
    2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
    2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
    2016-04-15 10:42:56,548     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 h=1635820 c=R00016e66-01-57111a10] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
    2016-04-15 10:42:56,549     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635825 c=R00016e66-01-57111a10] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635824 c=R00016e66-01-57111a10] WARN Core.PETaskPostAuthEnfProfileBuilder - No client macaddress found in the request
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635824 c=R00016e66-01-57111a10] WARN Core.PETaskPostAuthEnfProfileBuilder - startHandler: Failed to fetch NAutz attributes
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635822 c=R00016e66-01-57111a10] WARN Core.PETaskRadiusCoAEnfProfileBuilder - No client key found for session lookup
    2016-04-15 10:42:56,550     [RequestHandler-1-0x7f4b009e0700 h=1635822 c=R00016e66-01-57111a10] WARN Core.PETaskRadiusCoAEnfProfileBuilder - startHandler: Failed to fetch NAutz attributes
    2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
    2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 h=1635821 c=R00016e66-01-57111a10] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
    2016-04-15 10:42:56,551     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 h=1635826 c=R00016e66-01-57111a10] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
    2016-04-15 10:42:56,552     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
    2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635828 c=R00016e66-01-57111a10] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635828 c=R00016e66-01-57111a10] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2016-04-15 10:42:56,555     [RequestHandler-1-0x7f4b009e0700 h=1635827 c=R00016e66-01-57111a10] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Policy Evaluation time = 15 ms
    2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Added Class attribute with value Class = 0xf65c0316a22d463186d437b695b78a11bd0b0000000000005230303031366536362d30312d35373131316131300000000000000000000000
    2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2016-04-15 10:42:56,556     [Th 52 Req 1072631 SessId R00016e66-01-57111a10] INFO RadiusServer.Radius - Request processing time = 25 ms
    2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
    2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
    2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
    2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
    2016-04-15 10:42:56,556     [RequestHandler-1-0x7f4b009e0700 r=R00016e66-01-57111a10 h=1635815 c=R00016e66-01-57111a10] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

     

    Really at a loss here as to why windows 10 won't connect - any thoughts?

     

    Thank you!

     

    Gerri



  • 2.  RE: windows 10 via won't connect
    Best Answer

    EMPLOYEE
    Posted Apr 15, 2016 02:21 PM

    It is very hard to say what could be happening here.  The latest version of Via should be working on both Windows platforms.  Without seeing the service, the VIA VPN configuration on the controller and logs between devices, it is tough to say what could be happening here.  You should open a case in parallel, so that they can sort it out...

     

     



  • 3.  RE: windows 10 via won't connect

    Posted Apr 15, 2016 02:53 PM

    I figured - just thought I would ask the community first - sometimes it's been solved and there is no need to open TAC - thank you! I'll do that.

     

     



  • 4.  RE: windows 10 via won't connect

    EMPLOYEE
    Posted Apr 15, 2016 03:29 PM

    You can leave it out here for more comment, but open up a TAC case in parallel.  In my mind, more information is needed.  In other people's mind who might have gone through this, they have an answer and can post.



  • 5.  RE: windows 10 via won't connect

    Posted Apr 15, 2016 03:31 PM

    OK - I'll add as I have more information.

     

    Thanks!



  • 6.  RE: windows 10 via won't connect

    Posted Jan 18, 2017 08:45 AM

    Hi Gerri.Urban, Can I ask if you ever got a resolution to this? We're experiencing the same issues with Windows 10!



  • 7.  RE: windows 10 via won't connect
    Best Answer

    Posted Jan 18, 2017 10:12 AM

    Funny you should ask - we just got this resolved (yes really) We finally setup a full test system and spent a day with a tac engineer testing all kinds of things, pulling logs etc,  but the final result had to do with the IKE policies in the VPN Services - I had to add a new policy at priority 1

    version: v2

    priority: 1

    encryption: aes128

    hash:sha

    authentication: rsa

    prf: prf-hmac-sha1

    group: group 2

     

    As always it's best to reach out to tac and work with them to make sure this is the correct solution for your environment - this fixed it for us - but we also had to deal with the fact that we could only connect with version 2.1.1.5 VIA and that version won't run on windows 10. 

     

    Once we get the 3.0 clients we will also be able to enable tls 1.2 on the Clearpass server also. 

     

    I'm happy to say we can now upgrade all clients (mac and pc) to the latest, the old clients still work and every things is good