TEAP Implementation Issues

View Only

last person joined: 11 hours ago

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).

Back to discussions

Expand all | Collapse all

TEAP Implementation Issues

This thread has been viewed 59 times

1. TEAP Implementation Issues

Kudos

zshore

Posted Mar 05, 2023 01:31 AM

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E
2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms
2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"
2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service
2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.
2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x
2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost
2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost
2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms
2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==
2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E
2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate
2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==
2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E
2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A
2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==
2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E
2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==
2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E
2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==
2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E
2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==
2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E
2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==
2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E
2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==
2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E
2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.418760
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.422113
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.426946
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.433418
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.439891
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.446872
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.453553
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.460142
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.469535
2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 29
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3005
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=29
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]
2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]
2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]
2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms
2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile
2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!

2. RE: TEAP Implementation Issues

Kudos

zshore

Posted Mar 06, 2023 02:43 PM

Bumping for science.

Original Message

Original Message:
Sent: Mar 05, 2023 01:31 AM
From: zshore
Subject: TEAP Implementation Issues

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.4187602023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.4221132023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.4269462023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.4334182023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.4398912023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.4468722023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.4535532023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.4601422023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.4695352023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=30052023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 02023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!

3. RE: TEAP Implementation Issues

Kudos

EMPLOYEE

Herman Robers

Posted Mar 08, 2023 07:19 AM

Where do you get your client certificates from? Is that from the on premise AD and Group Policies? Or through Intune/SCEP?

Both give you different formats of the usernames, and a certificate issued through Intune cannot be validated in AD. Also with the identity privacy (anonymous as username) you cannot compare that with the certificate. As a start you can create an EAP-TLS Authentication method where Authorization and Comparison are disabled:
If it then works, you can start from there again.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message

Original Message:
Sent: Mar 05, 2023 01:31 AM
From: zshore
Subject: TEAP Implementation Issues

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.4187602023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.4221132023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.4269462023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.4334182023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.4398912023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.4468722023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.4535532023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.4601422023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.4695352023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=30052023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 02023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!

4. RE: TEAP Implementation Issues

Kudos

zshore

Posted Mar 16, 2023 11:07 PM

Hi Herman, we are in a hybrid setup right now. Lab PCs are local AD joined and pulling from local CA. Staff laptops are InTune joined, pulling certs from Scepman.

Original Message

Original Message:
Sent: Mar 08, 2023 07:19 AM
From: Herman Robers
Subject: TEAP Implementation Issues

Where do you get your client certificates from? Is that from the on premise AD and Group Policies? Or through Intune/SCEP?

Both give you different formats of the usernames, and a certificate issued through Intune cannot be validated in AD. Also with the identity privacy (anonymous as username) you cannot compare that with the certificate. As a start you can create an EAP-TLS Authentication method where Authorization and Comparison are disabled:
If it then works, you can start from there again.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 05, 2023 01:31 AM
From: zshore
Subject: TEAP Implementation Issues

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.4187602023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.4221132023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.4269462023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.4334182023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.4398912023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.4468722023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.4535532023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.4601422023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.4695352023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=30052023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 02023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!

5. RE: TEAP Implementation Issues

Kudos

EMPLOYEE

Herman Robers

Posted Mar 20, 2023 05:02 AM

If you provision your clients through Intune and Group Policy, you can either disable authorization (did you try that already?) and have both run in the same service, or you could use the anonymous identity used in TEAP if you provision that differently for your AD vs Intune managed clients by creating two services that each select on the anonymous identity:

In this example, this service is triggered if the anonymous identitity is 'anonymous' or 'teap'; if you use 'intune' or 'byod', or so as identity for your intune managed clients you can have a different service match for those clients.

Not fully sure where you are now in the resolution of your original issue; please let us know the status if you need more help.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message

Original Message:
Sent: Mar 16, 2023 11:07 PM
From: zshore
Subject: TEAP Implementation Issues

Hi Herman, we are in a hybrid setup right now. Lab PCs are local AD joined and pulling from local CA. Staff laptops are InTune joined, pulling certs from Scepman.

Original Message:
Sent: Mar 08, 2023 07:19 AM
From: Herman Robers
Subject: TEAP Implementation Issues

Where do you get your client certificates from? Is that from the on premise AD and Group Policies? Or through Intune/SCEP?

Both give you different formats of the usernames, and a certificate issued through Intune cannot be validated in AD. Also with the identity privacy (anonymous as username) you cannot compare that with the certificate. As a start you can create an EAP-TLS Authentication method where Authorization and Comparison are disabled:
If it then works, you can start from there again.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Mar 05, 2023 01:31 AM
From: zshore
Subject: TEAP Implementation Issues

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.4187602023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.4221132023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.4269462023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.4334182023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.4398912023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.4468722023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.4535532023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.4601422023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.4695352023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=30052023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 02023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!

6. RE: TEAP Implementation Issues

Kudos

michal_srnicek

Posted Mar 20, 2023 08:58 AM

Hi,

i have been getting same error.

In my case i found out that if i had in Configuration » Services » Your service name » Authentication » Authentication Methods: EAP MSCHAPv2 i would get the conflicting identities error.

So i only left there TEAP and PEAP methods:

Please let me know if this was your problem aswel.

Have a nice day.

Original Message

Original Message:
Sent: Mar 05, 2023 01:31 AM
From: zshore
Subject: TEAP Implementation Issues

So I've watched Herman's videos on this, as well as followed the instructions here: [Tutorial] - Clearpass Authentication using EAP-TEAP (EAP-Chaining) | Security (arubanetworks.com)

But I am having the hardest time getting TEAP working.

A few things on my setup:

We already use EAP-TLS today with user and machine certs being pushed from SCEPman. Laptops joined to InTune. Everything works here. User cert passes the correct information as well as machine.
We are Intune joined and have the v5 connector set up
Running 6.10.8

I have my supplicant set up using the instructions in the link above. Except for my method 1 and 2, I choose "smart card or cert" as we have certs on these machines.

After configuring my laptop manually for TEAP, it will not connect. Access tracker still shows that it is trying to pass both "anonymous" as a username, as well as the name of the machine. Here are some screenshots:

These are the logs typically coming through when I try to connect.

Here's a log from one of the timeouts: I see it tries to lookup 'anonymous' in AD, which I don't want it to do. I saw someone mention using an enforcement profile to be able to retrieve the actual username being passed, but I haven't had much luck in that...is there a way to query for that username before authentication even tries to occur?

2023-03-04 20:42:40,413	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 181:189:04EA5669411E2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Service Categorization time = 3 ms2023-03-04 20:42:40,416	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service"2023-03-04 20:42:40,416	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831939 h=223 r=R00053e89-03-640401a0] INFO Core.ServiceReqHandler - Service classification result = TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x.2023-03-04 20:42:40,417	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_ldap: searching for user anonymous in AD:172.x.x.x2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: searching for user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_sql: found user anonymous in Local:localhost2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - SQL User lookup time = 0 ms2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_tls: Initiate2023-03-04 20:42:40,418	[Th 3424 Req 3775419 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 181:88:04EA5669411E:ALMAVgB8AEe7mzkA8M3T3YU57lcQc1GVwTttSQ==2023-03-04 20:42:40,421	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 189:223:04EA5669411E2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_eap_teap: Initiate2023-03-04 20:42:40,422	[Th 3423 Req 3775420 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 189:88:04EA5669411E:AEcAbQC3ACK8mzkAD7ZckUuftiZgMb0WpYoIVA==2023-03-04 20:42:40,425	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 46:376:04EA5669411E2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client key exchange A2023-03-04 20:42:40,426	[Th 3426 Req 3775421 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 46:1124:04EA5669411E:AAkAOwBCALe9mzkA3O20OAInRCa+gj1T3m5X+A==2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 237:223:04EA5669411E2023-03-04 20:42:40,433	[Th 3425 Req 3775422 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 237:1120:04EA5669411E:ACkAiQB5AIy+mzkA5PT+QEve1o3kWOcvnMSE/Q==2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 52:223:04EA5669411E2023-03-04 20:42:40,439	[Th 3429 Req 3775423 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 52:1120:04EA5669411E:AOAAFwDkAN6/mzkAHizoF1iikDk5pmNy0246tQ==2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 58:223:04EA5669411E2023-03-04 20:42:40,446	[Th 3427 Req 3775424 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 58:1120:04EA5669411E:AFMACgCWAKzAmzkACXmCA5jGjwKPjj6KLIR0ig==2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 229:223:04EA5669411E2023-03-04 20:42:40,453	[Th 3428 Req 3775425 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 229:1120:04EA5669411E:AHMAnwDMAL7BmzkAX66/8j9yDuAEtydUfRjGGA==2023-03-04 20:42:40,459	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 200:223:04EA5669411E2023-03-04 20:42:40,460	[Th 3424 Req 3775426 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 200:1096:04EA5669411E:ADQAuABOACzCmzkA/p5F0wpubG3Ip6bKK0pMQw==2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "TEAP_TEST_Cert_Device_InTune_Aruba 802.1X Wireless Service" - 63:349:04EA5669411E2023-03-04 20:42:40,469	[Th 3423 Req 3775427 SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 63:330:04EA5669411E:AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw==2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00053e89-03-640401a0, state - AKQAwQDWANjDmzkAku+MhCLot8HwOz2bp6E+sw=2023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:189:88:04EA5669411E recv 1677984160.413057 - resp 1677984160.4187602023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 189:223:88:04EA5669411E recv 1677984160.421763 - resp 1677984160.4221132023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 46:376:1124:04EA5669411E recv 1677984160.425500 - resp 1677984160.4269462023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 237:223:1120:04EA5669411E recv 1677984160.433115 - resp 1677984160.4334182023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 52:223:1120:04EA5669411E recv 1677984160.439585 - resp 1677984160.4398912023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 58:223:1120:04EA5669411E recv 1677984160.446575 - resp 1677984160.4468722023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 229:223:1120:04EA5669411E recv 1677984160.453218 - resp 1677984160.4535532023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 200:223:1096:04EA5669411E recv 1677984160.459838 - resp 1677984160.4601422023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] ERROR RadiusServer.Radius - reqst_clean_list: Packet 63:349:330:04EA5669411E recv 1677984160.468916 - resp 1677984160.4695352023-03-04 20:43:28,550	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 04ea5669411e2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3005 entity id = 292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=30052023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3005|entityId=292023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3005|entity=Device2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 r=psauto-1676955249-831952 h=239 r=R00053e89-03-640401a0] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **2023-03-04 20:43:28,552	[RequestHandler-1-0x7ff4ba5d5700 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **2023-03-04 20:43:28,553	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))2023-03-04 20:43:28,553	[AuthReqThreadPool-31-0x7ff5c43e1700 r=R00053e89-03-640401a0 h=72] WARN Ldap.LdapQuery - Failed to get value for attributes=Account Expires, Department, Email, Phone, Title, company, groupName, hostDnsName, hostOperatingSystem, hostServicePack, memberOf]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 h=6703857 c=R00053e89-03-640401a0] INFO Core.PETaskRoleMapping - Roles: Other]2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **2023-03-04 20:43:28,554	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703860 c=R00053e89-03-640401a0] INFO Core.PETaskEnforcement - EnfProfiles: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703866 c=R00053e89-03-640401a0] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=DENY2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Deny Access Profile]2023-03-04 20:43:28,555	[RequestHandler-1-0x7ff4ba5d5700 h=6703861 c=R00053e89-03-640401a0] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 02023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 h=6703867 c=R00053e89-03-640401a0] INFO Core.PETaskCliEnforcement - startHandler: Request rejected. Skip CLI enforcement2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703862 c=R00053e89-03-640401a0] INFO Core.PETaskRadiusCoAEnfProfileBuilder - getApplicableProfiles: No radius_coa enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703865 c=R00053e89-03-640401a0] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **2023-03-04 20:43:28,556	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703869 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,559	[RequestHandler-1-0x7ff4ba5d5700 h=6703868 c=R00053e89-03-640401a0] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - Policy Evaluation time = 10 ms2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Received Deny Enforcement Profile2023-03-04 20:43:28,560	[main SessId R00053e89-03-640401a0] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **2023-03-04 20:43:28,560	[RequestHandler-1-0x7ff4ba5d5700 r=R00053e89-03-640401a0 h=6703855 c=R00053e89-03-640401a0] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

And here's a log from the REJECT, where I can see it is trying to use both identities.

What makes this all frustrating is that I see people getting it to work...I just can't or am missing something. Plus my EAP-TLS environment works fine and processes everything normally. For example, I don't know why TEAP-MEthod-1-Username is showing like that...but in our regular EAP-TLS logs it is different.

I know this has been a lot of text and screenshots, and I do have a ticket open with TAC...but was hoping someone out there is in a similar spot and can maybe offer some advice.

Thanks!