Security

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Hi ,

Does other 802.1x authentication work as expected on the same switch?

Yes WIndows 10/11 working just fine on the same switch!

"Can you share the logs both from the accesspoints"

Which logs are you after ?I can only see the bellow from the AP console :

802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure

Clearpass log will follow as attachement.

I have opened a TAC but still could not point me to the correct direction.

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.

Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.

What version of ClearPass do you run?

Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.

My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.

If that's not the case I don't have any more ideas at the moment.

Hi ,

Does other 802.1x authentication work as expected on the same switch?

Yes WIndows 10/11 working just fine on the same switch!

"Can you share the logs both from the accesspoints"

Which logs are you after ?I can only see the bellow from the AP console :

802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure

Clearpass log will follow as attachement.

I have opened a TAC but still could not point me to the correct direction.

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

ClearPass 6.11.8 

I've tried to disable PSS RSA but did not resolve the issue.

I'm attaching a debug log from clearpass for your reference!

I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.

Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.

What version of ClearPass do you run?

Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.

My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.

If that's not the case I don't have any more ideas at the moment.

Hi ,

Does other 802.1x authentication work as expected on the same switch?

Yes WIndows 10/11 working just fine on the same switch!

"Can you share the logs both from the accesspoints"

Which logs are you after ?I can only see the bellow from the AP console :

802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure

Clearpass log will follow as attachement.

I have opened a TAC but still could not point me to the correct direction.

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Hi

In the first log you attached the request hit service MEDO-AP Wired Aruba Access Point DYN VLAN 802.1X, bit in the new log with DEBUG enabled, this service is not hit by the requests. It looks like it's another type of client in these requests as the service is {ArubaOS SW} Wired Desktop DYN VLAN 802.1X.

Export a log when one of the access points tries to autenticate.

ClearPass 6.11.8 

I've tried to disable PSS RSA but did not resolve the issue.

I'm attaching a debug log from clearpass for your reference!

I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.

Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.

What version of ClearPass do you run?

Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.

My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.

If that's not the case I don't have any more ideas at the moment.

Hi ,

Does other 802.1x authentication work as expected on the same switch?

Yes WIndows 10/11 working just fine on the same switch!

"Can you share the logs both from the accesspoints"

Which logs are you after ?I can only see the bellow from the AP console :

802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure

Clearpass log will follow as attachement.

I have opened a TAC but still could not point me to the correct direction.

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?

Here you Go!

Hi

In the first log you attached the request hit service MEDO-AP Wired Aruba Access Point DYN VLAN 802.1X, bit in the new log with DEBUG enabled, this service is not hit by the requests. It looks like it's another type of client in these requests as the service is {ArubaOS SW} Wired Desktop DYN VLAN 802.1X.

Export a log when one of the access points tries to autenticate.

ClearPass 6.11.8 

I've tried to disable PSS RSA but did not resolve the issue.

I'm attaching a debug log from clearpass for your reference!

I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.

Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.

What version of ClearPass do you run?

Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.

My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.

If that's not the case I don't have any more ideas at the moment.

Hi ,

Does other 802.1x authentication work as expected on the same switch?

Yes WIndows 10/11 working just fine on the same switch!

"Can you share the logs both from the accesspoints"

Which logs are you after ?I can only see the bellow from the AP console :

802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication timeout/failure
802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
802.1X: EAP-TLS using TPM certs authentication timeout/failure

Clearpass log will follow as attachement.

I have opened a TAC but still could not point me to the correct direction.

Hi

I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

Does other 802.1x authentication work as expected on the same switch?

Can you share the logs both from the accesspoints, ClearPass and the switch?

It could be a good idea to contact TAC for troubleshooting.

Yes the error relates to all AP clients ...

Could you elaborate more on :

"One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

How i will check if the traffic is fragmented ?

Is there something on the AP side that i could check from the console?

Hi

EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

Does this error affect all clients?

One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

Do you have a more specific error message?

Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

I wrote a blog post about this issue:

https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/

Hi ALL,
After upgrading the MC to 8.12.0 the AP started throwing :
802.1X: EAP-TLS using TPM certs authentication fail

Clearpass on the other hand :
Client did not complete EAP transaction

Is there something that i could check from the AP console and identify the source of the issue?