With EAP-TLS the actual authentication happens based on the client and ClearPass EAP certificate. After that you have multiple options to get authorization information from your AD or other authentication sources. If you added AD as an Authentication Source (when using EAP-TLS), and have 'Authorization Required' in your EAP-TLS Method (default setting), the username sent has to be available in your AD. But the Client did not complete EAP transaction points to a different issue, where certificate trust is not setup, or the client does not have a client certificate, or the user is presented with a popup to approve the server certificate an/or select a client certificate.
And yes, you can perform OCSP (or CRL) checking against the CA as well to support revoking if certificates. As this is a pretty comprehensive topic, which benefits from understanding how certificates work, it may be good to work with a specialist from your partner or with TAC.
Did this work with your on premises AD and EAP-TLS before?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 13, 2024 04:55 PM
From: Gunskirchen
Subject: ClearPass EAP-TLS with External CA
I am looking to configure an EAP-TLS authentication process. We recently migrated to a hosted CA for our internal certs. The AD servers are not the CA but are linked to the CA? I think. When I configure the EAP-TLS process to check the AD servers, I get error 9002 - RADIUS - Client did not complete the EAP transaction. Which is why I think the AD server can not be queried for the cert. Is it possible to ask the external CA? there anyone who has done this using an HTTP process or OSCP? What has been the experience? Where is the documentation for this?