Security

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Perhaps this link can help you 

Using Security Certificates on Yealink IP Phones

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Mar 08, 2025 11:09 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 08, 2025 10:36 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Original Message:
Sent: Mar 07, 2025 11:49 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 07, 2025 03:58 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Original Message:
Sent: Sep 18, 2023 01:33 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Original Message:
Sent: Sep 11, 2023 12:02 PM
From: Herman Robers
Subject: EAP-TLS timeout issue with Clearpass as radius server

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

------------------------------
ACNSP | ACCP | ACMP | ACEP

Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

thanks for your posts. so far i have not been able to get it to work.

The phone just doesn't send a TLS client hello and the authentication times out.
here is a trace that I made using port mirror:

so I think the phone doesn't like my certificates.

Anybody here who has experience with Yealink Phones? 

Original Message:
Sent: Mar 08, 2025 04:06 PM
From: ariyap
Subject: EAP-TLS timeout issue with Clearpass as radius server

Perhaps this link can help you 

Using Security Certificates on Yealink IP Phones

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Mar 08, 2025 11:09 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 08, 2025 10:36 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Original Message:
Sent: Mar 07, 2025 11:49 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 07, 2025 03:58 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Original Message:
Sent: Sep 18, 2023 01:33 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Original Message:
Sent: Sep 11, 2023 12:02 PM
From: Herman Robers
Subject: EAP-TLS timeout issue with Clearpass as radius server

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

------------------------------
ACNSP | ACCP | ACMP | ACEP

Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Is it possible to share the PCAP file?

thanks for your posts. so far i have not been able to get it to work.

The phone just doesn't send a TLS client hello and the authentication times out.
here is a trace that I made using port mirror:

so I think the phone doesn't like my certificates.

Anybody here who has experience with Yealink Phones? 

Original Message:
Sent: Mar 08, 2025 04:06 PM
From: ariyap
Subject: EAP-TLS timeout issue with Clearpass as radius server

Perhaps this link can help you 

Using Security Certificates on Yealink IP Phones

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Mar 08, 2025 11:09 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 08, 2025 10:36 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Original Message:
Sent: Mar 07, 2025 11:49 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 07, 2025 03:58 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Original Message:
Sent: Sep 18, 2023 01:33 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Original Message:
Sent: Sep 11, 2023 12:02 PM
From: Herman Robers
Subject: EAP-TLS timeout issue with Clearpass as radius server

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

------------------------------
ACNSP | ACCP | ACMP | ACEP

Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Thank you very much for the offer, actually I would not want to publish this due to internal company information. what would you look up? maybe this will help me already

Is it possible to share the PCAP file?

thanks for your posts. so far i have not been able to get it to work.

The phone just doesn't send a TLS client hello and the authentication times out.
here is a trace that I made using port mirror:

so I think the phone doesn't like my certificates.

Anybody here who has experience with Yealink Phones? 

Original Message:
Sent: Mar 08, 2025 04:06 PM
From: ariyap
Subject: EAP-TLS timeout issue with Clearpass as radius server

Perhaps this link can help you 

Using Security Certificates on Yealink IP Phones

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Mar 08, 2025 11:09 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 08, 2025 10:36 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Original Message:
Sent: Mar 07, 2025 11:49 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 07, 2025 03:58 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Original Message:
Sent: Sep 18, 2023 01:33 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Original Message:
Sent: Sep 11, 2023 12:02 PM
From: Herman Robers
Subject: EAP-TLS timeout issue with Clearpass as radius server

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

------------------------------
ACNSP | ACCP | ACMP | ACEP

Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?

Can you create a screenshot of the complete EAP handshake? Please include the source and destination field. I'm curious what is in the Request, TLS EAP (EAP-TLS) packet. You can also send me a DM

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Mar 12, 2025 08:24 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you very much for the offer, actually I would not want to publish this due to internal company information. what would you look up? maybe this will help me already

Original Message:
Sent: Mar 11, 2025 01:33 PM
From: willembargeman
Subject: EAP-TLS timeout issue with Clearpass as radius server

Is it possible to share the PCAP file?

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Mar 11, 2025 09:11 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

thanks for your posts. so far i have not been able to get it to work.

The phone just doesn't send a TLS client hello and the authentication times out.
here is a trace that I made using port mirror:

so I think the phone doesn't like my certificates.

Anybody here who has experience with Yealink Phones? 

Original Message:
Sent: Mar 08, 2025 04:06 PM
From: ariyap
Subject: EAP-TLS timeout issue with Clearpass as radius server

Perhaps this link can help you 

Using Security Certificates on Yealink IP Phones

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Mar 08, 2025 11:09 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Should only need the root certificate for the CA that signed your RADIUS certificate.

I've little idea what the phone requires as I've never heard of that brand.  What OS is it running?  Mobile devices generally should be provisioned using a device management platform, manual configuration can be overly challenging.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 08, 2025 10:36 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for your explanation. My question was about the certificates required by the yaelink phone. It needs the CA certificate and a client certificate each as a file. I cannot find more documentation by yaelink.

Original Message:
Sent: Mar 07, 2025 11:49 AM
From: chulcher
Subject: EAP-TLS timeout issue with Clearpass as radius server

Which certificate?

ClearPass expects the certificates that are being installed to have at minimum the intermediates included in the certificate bundle at the time of installation, and supports or can require the root in some cases.

If you're talking about the client EAP-TLS, the client supplicant should be providing the intermediate as part of the client certificate and the root must be trusted by ClearPass.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 07, 2025 03:58 AM
From: pingking
Subject: EAP-TLS timeout issue with Clearpass as radius server

I know this is an old thread but can you remember how the certificate must be issued? Does the whole chain have to be included if you have an intermediate CA? Or just the certificate itself and the private key?

Original Message:
Sent: Sep 18, 2023 01:33 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Thank you for all of the help. I just wanted to confirm that the issue was with the Yealink phone. Just had to work on finding the proper cert combination to put into the phone. Now the configuration is working fine.

Original Message:
Sent: Sep 11, 2023 12:02 PM
From: Herman Robers
Subject: EAP-TLS timeout issue with Clearpass as radius server

Does this only show on these Yealink devices?

Do other clients authenticate properly with EAP-TLS?

If you can, run a port mirror on the switch and a RADIUS capture on the ClearPass to see what is the EAP/RADIUS negotiation going on, and more specific the point where the authentication stops.

Note that some IoT like devices may not support modern cryptography and still use obsolete algorithms like MD5, SHA-1, RC4. From the packet capture you may find out what is being exchanged and from there find what your phone, switch or ClearPass doesn't like.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 08, 2023 12:16 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

The CA cert has been installed on the phone. I did turn on dot1x debugging on the cisco switch. I see this:
So it looks like the phone tries to start dot1x. It somehow is getting all the way to Clearpass based on the Clearpass logs. But as you can also see, it seems to Dequeue the packet right away as well. I left the logs on for a while and it is always these same messages. Never see the switch responding to the phone's EAPOL packet. So does that seem like a switch config problem, or do you still think it's a cert problem? (Another teammate made the certs and installed them on the phone and Clearpass so I hope those aren't the issue) 

Original Message:
Sent: Sep 08, 2023 11:34 AM
From: bd_87
Subject: EAP-TLS timeout issue with Clearpass as radius server

How is the RADIUS cert being trusted by the phone? Have you used some method of installing the CA that signed the RADIUS cert? In my experience, TIMEOUT messages are almost always cert trust related.

Any way you can do a packet capture between the phone and cppm and filter for EAP packets?

------------------------------
ACNSP | ACCP | ACMP | ACEP

Original Message:
Sent: Sep 07, 2023 03:57 PM
From: ClearRad89
Subject: EAP-TLS timeout issue with Clearpass as radius server

Hello,

My colleague and I are testing 802.1x and EAP-TLS with certs being used for authentication for our Yealink VOIP phones. We can see authentication attempts on Clearpass in the Access Tracker, but the login status continually says "TIMEOUT". When I click on an Access Tracker record and go to the "Input" tab under "Radius Request", I see the appropriate IP address of the phone, NAS IP address of the Cisco switch, and even see the port that the phone is connected to. However, obviously something isn't working right.

In the logs for an access tracker record I see these in red near the beginning:
ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid 

ERROR RadiusServer.Radius - reqst_clean_list: Packet

However, there are many lines after that in the log. I see these lines in orange about 5 lines above the end of the log

[RequestHandler-1-0x7f5490de6700 r=R00001606-01-64fa23e7 h=101598 c=R00001606-01-64fa23e7] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=

Has anyone seen this issue before with Clearpass, a cisco switch, and a Yealink phone? Any ideas what I should try to check next?