Here’s a “learn from my recent experience” type post
The problem: Clients are unable to authenticate from a new Wi-Fi network that has been added
Observations:
- ClearPass appears to be working fine
- Clients are successfully authenticating from the existing network using EAP-TLS
- A Policy Manager service has been configured for the new network and incoming requests are correctly categorised
- Authentication attempts from the new network are rejected, seen in Access Tracker
- Failing auths are showing as an outer type of EAP, not EAP-TLS
- No certificate content is shown in the computed attributes of the failed auths
- Apple Mac clients are able to authenticate to the new network successfully, managed windows clients are not. The same clients work fine on the existing network.
The obvious conclusion is this the new network is incorrectly configured, and this turned out to be the case, but it what’s wrong… The last point in the observations was particularly interesting and threw a spanner at the “network config error” idea, because if the network config is wrong why can a Mac authenticate… is it the client? What’s the difference?
Connections from the new network were proxied via another RADIUS server. This is because the solution uses RADSEC and the new network Wi-Fi controllers don’t support RADSEC.
The information provided by Access Tracker appeared to show insufficient information for the auth to be successful. Crucially there was no client certificate information and the outer method showing as just EAP was… odd.
Looking at the logs for an auth showed an error early in the process:
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
Ultimately here’s what the problem was… The proxy forwarding these authentications had a default to strip information from the username. Windows clients which presented the username as host\<hostname>.<domain> had this stripped back to just the hostname. So the TLS tunnel outer username presented to ClearPass became hostname$. The Mac clients didn’t present the FQDN as the username so nothing was stripped.
ClearPass performs a check on the Outer Identity of the TLS tunnel and the Inner Identity. If the outer identity is valid and the inner identity differs the auth will fail. In the case of EAP-TLS the error above will be displayed in the logs and the auth will fail.
The Outer and Inner identity either must match or the Outer Identity can be set to Anonymous.
Note this applies to EAP-PEAP and EAP-TLS. EAP-TTLS may also have issues with mismatches… basically make sure it all matches, don’t have anything strip data from the outer identity unless it’s being set to Anonymous.
The solution to this was to disable the domain stripping on the proxy.
For anyone who’s found this post after running into this issue, take heart that information presented by Access Tracker is not at all helpful in understanding why the auth has failed. It appears the certificate hasn’t been presented at all when in fact that data just isn’t presented to you.
The error message tells you exactly what’s wrong, once you understand how it works.