Security

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Hi

What is the error message under the Alerts tab?

EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

This is the alerts for TEAP


As per the "Microsoft: Smart card or other certificate" (EAP-TLS on CCPM), it does not even hit clearpass service.



Would there be any reason why it isn't hitting the service when change to EAP-tls?
It doesnt look like it even sent it through to cppm as it it dropped almost immediately.

Hi

What is the error message under the Alerts tab?

EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Hi

What is the error message under the Alerts tab?

EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Hi Jonas,

Got it working now.
Using EAP-PEAP.
One thing I missed weas not having my PC join the domain, hence DC was not seeing it in its object for use for authentication with clearpass policies.

I will mock arround with other methods and see if I can get them working.

Would you say from experience EAP-MSCHAP is the way to go for these deployments or EAP-PEAP?
EAP-TEAP seems to be very complex and difficult to deploy via GPO

Hi

What is the error message under the Alerts tab?

EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

Hi

What is the error message under the Alerts tab?

EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 18, 2023 03:53 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Thanks Jonas,

Did that but still got the below:


Would I be missing anything else? I installed domain root cert on client PC already.
Do I need to install any other certs ?

Original Message:
Sent: Apr 18, 2023 03:08 AM
From: jonas.hammarback
Subject: Wired Authentication with EAP-TTLS not working

Hi

You have to add the TEAP method manually.


Select the user name to display in Access Tracker:

Add EAP-TLS as the Inner method

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Apr 18, 2023 02:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

Original Message:
Sent: Apr 17, 2023 08:35 AM
From: ahollifield
Subject: Wired Authentication with EAP-TTLS not working

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

I dont have an option for EAP-TEAP on my clearpass as auth method.
Am i missing something?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?

What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?

Original Message:
Sent: Apr 17, 2023 01:59 AM
From: champ85
Subject: Wired Authentication with EAP-TTLS not working

Hi Folks,

Just looking for some guidance as to what I am getting wrong.

Windows client tries to autehnticate and gets the following error:


Not picking up auth source.


Windows client:

Are there a few things I have missing?
Does anyone have any docs or guides I can make ref to for end-end?