Security

Hi everyone - We have noticed a large amount of timeouts with the alert "RADIUS    Client did not complete EAP transaction"  We have a very large enterprise network spanning multiple subscribers over SDWAN.  Has anyone ever experienced issues with packet fragmentation and EAP-TLS?  I know it's a general question.

Some scenarios we have seen are clients connecting wit no issues, then they disconnect and show timeouts...then after a few minutes...they connect again.  This sometime repeats and for various clients.  I would appreciate any info...thanks!

Hi

Have you verified the round trip time from the authenticator to the ClearPass server? Very long latency may cause timeouts, but from my experiance this only starts when the latency is several hundred milliseconds.

I don't think I have seen issues regarding EAP-TLS fragmentation, but that could be one possible issue. Another issue to investigate is if you have packetloss and the Radius UDP packets are lost in transit.

This error message often indicates a problem with the client configuration. Do you have certificates issued by the same CA on all ClearPass servers and are the root CA for the Radius certificate correctly configured on the client? Is it unique certificates on each ClearPass server in the cluster or one shared certificate for all servers in the cluster, or at least the servers that act as primary and secondary for each NAD?

Do you have Windows clients configured with the option "Don't prompt users..." enabled?

If this option isn't enabled and you have different certificates on the servers you may get prompts to the users if the authentication first have been done by one ClearPass server and later by another. If the user ignore the prompt the machine will not continue with the authentication and get a timeout in ClearPass.

Another thing to verify in the client configuration is if you have enabled the option "Connect to these servers" and have missed some ClearPass server names in the list. This will cause clients to refuse to authenticate with the server not listed in the client settings.

Does the clients have more than one certificate installed for client authentication? In that case there are situations when the client may have issues to select the correct certificate for the authentication. 

A few years ago I worked with a customer who had mostly 5400R switches and the firmware they was running at that time, don't remember the version maybe between 10.4 and 10.6, had a bug where the switch started to add one specific attribute multiple times in the Radius accounting packages. Initially this was not a problem, but when a Radius request contains more than 200 attributes ClearPass drop the package. At least the version the customer had back then. Possibly 6.7 or 6.8.

Hi everyone - We have noticed a large amount of timeouts with the alert "RADIUS    Client did not complete EAP transaction"  We have a very large enterprise network spanning multiple subscribers over SDWAN.  Has anyone ever experienced issues with packet fragmentation and EAP-TLS?  I know it's a general question.

Some scenarios we have seen are clients connecting wit no issues, then they disconnect and show timeouts...then after a few minutes...they connect again.  This sometime repeats and for various clients.  I would appreciate any info...thanks!

Thank you Jonas for this reply.  This is good info.  We verified our wifi configuratoins, and it does not appear to only be happening to windows clients.  So I am at a site that contains a subscriber and I have no problems.  I stay connected forever, no timeouts, etc.  I can roam all throughout the large site and stay connected.  This issue looks like it happens when you are at a "non-subscriber" location and across SD-WAN,etc.  This is what lead me to believe that the entire EAP message is getting cutoff by a firewall or MTU issue.  I'm thinking that we can maybe  capture packets from AP to ClearPass and see if we can gather some additional information.

Also, when a user timesout....I do not see the client certificate in the clearpass attributes.  So it sounds like something is getting dropped or cutoff.

Let me know thoughts...I appreciate any insight.  We will also be opening with TAC as well.

Hi

Have you verified the round trip time from the authenticator to the ClearPass server? Very long latency may cause timeouts, but from my experiance this only starts when the latency is several hundred milliseconds.

I don't think I have seen issues regarding EAP-TLS fragmentation, but that could be one possible issue. Another issue to investigate is if you have packetloss and the Radius UDP packets are lost in transit.

This error message often indicates a problem with the client configuration. Do you have certificates issued by the same CA on all ClearPass servers and are the root CA for the Radius certificate correctly configured on the client? Is it unique certificates on each ClearPass server in the cluster or one shared certificate for all servers in the cluster, or at least the servers that act as primary and secondary for each NAD?

Do you have Windows clients configured with the option "Don't prompt users..." enabled?

If this option isn't enabled and you have different certificates on the servers you may get prompts to the users if the authentication first have been done by one ClearPass server and later by another. If the user ignore the prompt the machine will not continue with the authentication and get a timeout in ClearPass.

Another thing to verify in the client configuration is if you have enabled the option "Connect to these servers" and have missed some ClearPass server names in the list. This will cause clients to refuse to authenticate with the server not listed in the client settings.

Does the clients have more than one certificate installed for client authentication? In that case there are situations when the client may have issues to select the correct certificate for the authentication. 

A few years ago I worked with a customer who had mostly 5400R switches and the firmware they was running at that time, don't remember the version maybe between 10.4 and 10.6, had a bug where the switch started to add one specific attribute multiple times in the Radius accounting packages. Initially this was not a problem, but when a Radius request contains more than 200 attributes ClearPass drop the package. At least the version the customer had back then. Possibly 6.7 or 6.8.

Hi everyone - We have noticed a large amount of timeouts with the alert "RADIUS    Client did not complete EAP transaction"  We have a very large enterprise network spanning multiple subscribers over SDWAN.  Has anyone ever experienced issues with packet fragmentation and EAP-TLS?  I know it's a general question.

Some scenarios we have seen are clients connecting wit no issues, then they disconnect and show timeouts...then after a few minutes...they connect again.  This sometime repeats and for various clients.  I would appreciate any info...thanks!

Hi

Is this issue persistent over time or have it started recently?

Recalling a customer I worked with a few years back running ClearPass nodes on London and New York. One day we started to get reports of authentication issues all over Europe. The customer had a lot of VPN tunnels to Google GCP and the authentication traffic was first sent from the office to GCP, routed to the datacenter where the ClearPass server was hosted.

After some troubleshooting we found out that the physical line between GCP and the datacenter had a 50 per cent packet loss...

Have you checked the internet connections on the affected sites for packet loss?

Thank you Jonas for this reply.  This is good info.  We verified our wifi configuratoins, and it does not appear to only be happening to windows clients.  So I am at a site that contains a subscriber and I have no problems.  I stay connected forever, no timeouts, etc.  I can roam all throughout the large site and stay connected.  This issue looks like it happens when you are at a "non-subscriber" location and across SD-WAN,etc.  This is what lead me to believe that the entire EAP message is getting cutoff by a firewall or MTU issue.  I'm thinking that we can maybe  capture packets from AP to ClearPass and see if we can gather some additional information.

Also, when a user timesout....I do not see the client certificate in the clearpass attributes.  So it sounds like something is getting dropped or cutoff.

Let me know thoughts...I appreciate any insight.  We will also be opening with TAC as well.

Hi

Have you verified the round trip time from the authenticator to the ClearPass server? Very long latency may cause timeouts, but from my experiance this only starts when the latency is several hundred milliseconds.

I don't think I have seen issues regarding EAP-TLS fragmentation, but that could be one possible issue. Another issue to investigate is if you have packetloss and the Radius UDP packets are lost in transit.

This error message often indicates a problem with the client configuration. Do you have certificates issued by the same CA on all ClearPass servers and are the root CA for the Radius certificate correctly configured on the client? Is it unique certificates on each ClearPass server in the cluster or one shared certificate for all servers in the cluster, or at least the servers that act as primary and secondary for each NAD?

Do you have Windows clients configured with the option "Don't prompt users..." enabled?

If this option isn't enabled and you have different certificates on the servers you may get prompts to the users if the authentication first have been done by one ClearPass server and later by another. If the user ignore the prompt the machine will not continue with the authentication and get a timeout in ClearPass.

Another thing to verify in the client configuration is if you have enabled the option "Connect to these servers" and have missed some ClearPass server names in the list. This will cause clients to refuse to authenticate with the server not listed in the client settings.

Does the clients have more than one certificate installed for client authentication? In that case there are situations when the client may have issues to select the correct certificate for the authentication. 

A few years ago I worked with a customer who had mostly 5400R switches and the firmware they was running at that time, don't remember the version maybe between 10.4 and 10.6, had a bug where the switch started to add one specific attribute multiple times in the Radius accounting packages. Initially this was not a problem, but when a Radius request contains more than 200 attributes ClearPass drop the package. At least the version the customer had back then. Possibly 6.7 or 6.8.

Hi everyone - We have noticed a large amount of timeouts with the alert "RADIUS    Client did not complete EAP transaction"  We have a very large enterprise network spanning multiple subscribers over SDWAN.  Has anyone ever experienced issues with packet fragmentation and EAP-TLS?  I know it's a general question.

Some scenarios we have seen are clients connecting wit no issues, then they disconnect and show timeouts...then after a few minutes...they connect again.  This sometime repeats and for various clients.  I would appreciate any info...thanks!

Hi

Have you verified the round trip time from the authenticator to the ClearPass server? Very long latency may cause timeouts, but from my experiance this only starts when the latency is several hundred milliseconds.

I don't think I have seen issues regarding EAP-TLS fragmentation, but that could be one possible issue. Another issue to investigate is if you have packetloss and the Radius UDP packets are lost in transit.

This error message often indicates a problem with the client configuration. Do you have certificates issued by the same CA on all ClearPass servers and are the root CA for the Radius certificate correctly configured on the client? Is it unique certificates on each ClearPass server in the cluster or one shared certificate for all servers in the cluster, or at least the servers that act as primary and secondary for each NAD?

Do you have Windows clients configured with the option "Don't prompt users..." enabled?

If this option isn't enabled and you have different certificates on the servers you may get prompts to the users if the authentication first have been done by one ClearPass server and later by another. If the user ignore the prompt the machine will not continue with the authentication and get a timeout in ClearPass.

Another thing to verify in the client configuration is if you have enabled the option "Connect to these servers" and have missed some ClearPass server names in the list. This will cause clients to refuse to authenticate with the server not listed in the client settings.

Does the clients have more than one certificate installed for client authentication? In that case there are situations when the client may have issues to select the correct certificate for the authentication. 

A few years ago I worked with a customer who had mostly 5400R switches and the firmware they was running at that time, don't remember the version maybe between 10.4 and 10.6, had a bug where the switch started to add one specific attribute multiple times in the Radius accounting packages. Initially this was not a problem, but when a Radius request contains more than 200 attributes ClearPass drop the package. At least the version the customer had back then. Possibly 6.7 or 6.8.

Hi everyone - We have noticed a large amount of timeouts with the alert "RADIUS    Client did not complete EAP transaction"  We have a very large enterprise network spanning multiple subscribers over SDWAN.  Has anyone ever experienced issues with packet fragmentation and EAP-TLS?  I know it's a general question.

Some scenarios we have seen are clients connecting wit no issues, then they disconnect and show timeouts...then after a few minutes...they connect again.  This sometime repeats and for various clients.  I would appreciate any info...thanks!