Security

Hello,

I would really like the help, i am pulling my hair on this project,

The switches we using are Aruba 6100 (JL675A 6100 48G CL4 4SFP+ Swch), Version: PL.10.10.1090

We are using EAP-PEAP MSCHAPV2

I would like to know if the issue is with the machines or the switch, because i tested about 4 Windows 10 machines, and all shows the same symptoms, sometimes they are authenticating sometimes are timing out

here is the config on the switch:

=======================================================================

radius-server host 10.100.250.30 key ciphertext ***********
!
!
aaa group server radius clearpass-scr
    server 10.100.250.30
!
!
radius dyn-authorization enable
!
radius dyn-authorization client 10.100.250.30 time-window 65535 secret-key **********

port-access role phone_role
    auth-mode multi-domain
    reauth-period 14400
    device-traffic-class voice

port-access role quarantine_role
    auth-mode multi-domain
    vlan trunk native 122
    vlan trunk allowed 10,122

aaa authentication port-access dot1x authenticator
     radius server-group clearpass-scr
    enable

aaa authentication port-access mac-auth
    radius server-group clearpass-scr
    enable

interface 1/1/13
    no shutdown
    vlan trunk native 23
    vlan trunk allowed 10,23
    spanning-tree port-type admin-edge
    aaa authentication port-access allow-cdp-bpdu
    aaa authentication port-access allow-lldp-bpdu
    aaa authentication port-access client-limit 10
    aaa authentication port-access auth-mode multi-domain
    aaa authentication port-access dot1x authenticator
        cached-reauth
        cached-reauth-period 60
        max-eapol-requests 2
        enable
    aaa authentication port-access mac-auth
        enable
    client track ip enable
    client track ip update-interval 60

=======================================================================

The config on the machines are configured correctly, and we even unchecked the Verify the server identity

Thanks for your time

-------------------------------------------

Why are you using MS-CHAPv2 in 2025? It uses broken encryption and is disabled by default in Windows. Why not use EAP-TLS? Also Windows 10 is almost EoL. Why not deploy and test with Windows 11? Why are you not verifying the server identity?

-------------------------------------------

Can you also describe your environment in more detail?

With a EAP packet processing time at 123 ms I quess you don't have ClearPass and the switch on the same place, probably quite far apart. Correct?

In that case, how is the communication between the site with the switch and client to ClearPass? VPN or SD-WAN over Internet, leased line. What is the MTU size of the connection?

Sometimes when timeouts are seen during EAP it's because EAP fragmentation happens for some packets. EAP fragmentation size can be adjusted in the RADIUS service settings in ClearPass.

Totally agree with the mentioned questions from @ahollifield

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Sep 18, 2025 09:24 AM
From: ahollifield
Subject: Client sometimes authenticating sometimes Timeout

Why are you using MS-CHAPv2 in 2025? It uses broken encryption and is disabled by default in Windows. Why not use EAP-TLS? Also Windows 10 is almost EoL. Why not deploy and test with Windows 11? Why are you not verifying the server identity?

Hello,

Clearpass and the switch are on the same place, 

Actually, the active directory is the one on another place, we use VPN to connect to active directory

-------------------------------------------

Original Message:
Sent: Sep 18, 2025 09:33 AM
From: jonas.hammarback
Subject: Client sometimes authenticating sometimes Timeout

Can you also describe your environment in more detail?

With a EAP packet processing time at 123 ms I quess you don't have ClearPass and the switch on the same place, probably quite far apart. Correct?

In that case, how is the communication between the site with the switch and client to ClearPass? VPN or SD-WAN over Internet, leased line. What is the MTU size of the connection?

Sometimes when timeouts are seen during EAP it's because EAP fragmentation happens for some packets. EAP fragmentation size can be adjusted in the RADIUS service settings in ClearPass.

Totally agree with the mentioned questions from @ahollifield

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------


Original Message:
Sent: Sep 18, 2025 09:24 AM
From: ahollifield
Subject: Client sometimes authenticating sometimes Timeout

Why are you using MS-CHAPv2 in 2025? It uses broken encryption and is disabled by default in Windows. Why not use EAP-TLS? Also Windows 10 is almost EoL. Why not deploy and test with Windows 11? Why are you not verifying the server identity?

As you are using EAP-PEAP the client will communicate with the domain controller during the the authentication phase. The traffic is encapsulated in the RADIUS packet, between the switch and ClearPass.

Do you have multiple domain controllers in different regions/networks where connection from ClearPass can either be slow or blocked by firewall? If you have domain controllers in more than one location you should also add Login Servers to the domain join settings. To configure ClearPass to talk to the correct DC.

If you have a firewall between ClearPass and the domain controllers, verify that you have correct port openings. With EAP-PEAP you will use NTLM and this require high RPC ports to be opened correct. Different port ranges depending on the OS version of the domain controllers. Check Microsoft documentation for correct ports.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Sep 18, 2025 09:42 AM
From: zouhsaine
Subject: Client sometimes authenticating sometimes Timeout

Hello,

Clearpass and the switch are on the same place, 

Actually, the active directory is the one on another place, we use VPN to connect to active directory

Original Message:
Sent: Sep 18, 2025 09:33 AM
From: jonas.hammarback
Subject: Client sometimes authenticating sometimes Timeout

Can you also describe your environment in more detail?

With a EAP packet processing time at 123 ms I quess you don't have ClearPass and the switch on the same place, probably quite far apart. Correct?

In that case, how is the communication between the site with the switch and client to ClearPass? VPN or SD-WAN over Internet, leased line. What is the MTU size of the connection?

Sometimes when timeouts are seen during EAP it's because EAP fragmentation happens for some packets. EAP fragmentation size can be adjusted in the RADIUS service settings in ClearPass.

Totally agree with the mentioned questions from @ahollifield

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Hello,

Since we dont have a PKI infrastructure, we stick to legacy MSCHAPv2, 

Why are you not verifying the server identity? : we are testing for now and to make sure it is not the issue

Why not deploy and test with Windows 11 ? : we will need a EAP-TLS and a PKI infrastructure

Thank you

-------------------------------------------

Original Message:
Sent: Sep 18, 2025 09:24 AM
From: ahollifield
Subject: Client sometimes authenticating sometimes Timeout

Why are you using MS-CHAPv2 in 2025? It uses broken encryption and is disabled by default in Windows. Why not use EAP-TLS? Also Windows 10 is almost EoL. Why not deploy and test with Windows 11? Why are you not verifying the server identity?

Step 1 should be to deploy a PKI infrastructure before you worry about any of this. 

-------------------------------------------

Original Message:
Sent: Sep 18, 2025 09:37 AM
From: zouhsaine
Subject: Client sometimes authenticating sometimes Timeout

Hello,

Since we dont have a PKI infrastructure, we stick to legacy MSCHAPv2, 

Why are you not verifying the server identity? : we are testing for now and to make sure it is not the issue

Why not deploy and test with Windows 11 ? : we will need a EAP-TLS and a PKI infrastructure

Thank you

I wish i can, but this client infrastructure kinda old, they even have problems with deploying GPO policies, so proposing a PKI infrastructure wont work

-------------------------------------------

Original Message:
Sent: Sep 18, 2025 09:41 AM
From: ahollifield
Subject: Client sometimes authenticating sometimes Timeout

Step 1 should be to deploy a PKI infrastructure before you worry about any of this. 

Original Message:
Sent: Sep 18, 2025 09:37 AM
From: zouhsaine
Subject: Client sometimes authenticating sometimes Timeout

Hello,

Since we dont have a PKI infrastructure, we stick to legacy MSCHAPv2, 

Why are you not verifying the server identity? : we are testing for now and to make sure it is not the issue

Why not deploy and test with Windows 11 ? : we will need a EAP-TLS and a PKI infrastructure

Thank you

I would say in that case the issues with network authentication can be a smaller issue for you. If you have issues with deploying GPO's you may be in big problems in an Active Directory environment. This is something that just should work.

I think a deep troubleshooting and update of the Windows environment is probably needed to solve these issues first. Otherwise you can't know if the authentication timeout in ClearPass is related to ClearPass communication or anything in the other infrastructure.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Sep 18, 2025 09:58 AM
From: zouhsaine
Subject: Client sometimes authenticating sometimes Timeout

I wish i can, but this client infrastructure kinda old, they even have problems with deploying GPO policies, so proposing a PKI infrastructure wont work

Original Message:
Sent: Sep 18, 2025 09:41 AM
From: ahollifield
Subject: Client sometimes authenticating sometimes Timeout

Step 1 should be to deploy a PKI infrastructure before you worry about any of this. 

Original Message:
Sent: Sep 18, 2025 09:37 AM
From: zouhsaine
Subject: Client sometimes authenticating sometimes Timeout

Hello,

Since we dont have a PKI infrastructure, we stick to legacy MSCHAPv2, 

Why are you not verifying the server identity? : we are testing for now and to make sure it is not the issue

Why not deploy and test with Windows 11 ? : we will need a EAP-TLS and a PKI infrastructure

Thank you