Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Onboard process isnt working, missing something

This thread has been viewed 2 times

  • 1.  Onboard process isnt working, missing something

    Posted Jul 04, 2016 12:33 AM

    Hi

    I hope someone can help please. I am setting up onboarding but it doesnt seem to work on the first authentication.

    The envionment is clearpass 6.6. IAPs. Active directory. What im trying to achieve is active directory users can connect to BYOD and log in to onboard their devices. Then it downloads cert and details so they dont need to login again.

     

    Basically what ive setup so far-

    1. Added the clearpass to the AD

    2. Setup an AD authentication source using LDAP. 

    3. Setup a service for Pre-Auth

    ScreenHunter_17 Jul. 04 14.20.jpg

    4. Setup a Authorization service

    ScreenHunter_18 Jul. 04 14.21.jpg

    5. Setup a provision service-

    ScreenHunter_19 Jul. 04 14.23.jpg

     

    On the IAP i have setup the following

    pre auth role-

    ScreenHunter_20 Jul. 04 14.24.jpg

    captive portal setup as-

    ScreenHunter_21 Jul. 04 14.25.jpg

     

    Should i be using RADIUS auth rather then AD(LDAP) auth?

    Ive followed the following article but it then goes off on creating a local user-

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Onboard-with-single-SSID-on-IAP/ta-p/187404

    thanks


    David



  • 2.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 04, 2016 12:42 AM
    Yes, RADIUS is used between the IAP and ClearPass.


  • 3.  RE: Onboard process isnt working, missing something

    Posted Jul 04, 2016 01:15 AM

    Hi Tim

     

    Thanks, but what about the clearpass to AD piece?

    Its not working at the moment and i dont see anything in the logs.

    thanks


    David



  • 4.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 04, 2016 01:20 AM
    Which part isn't working? The initial PEAP authentication, the onboard preauth, the onboard enrollment or the final EAP-TLS auth?


  • 5.  RE: Onboard process isnt working, missing something

    Posted Jul 04, 2016 01:25 AM

    I connect to the BYOD network, it prompts me for a username and pwd. I enter AD user/pwd and it doesnt work.

    What level of account for the authentication source of AD LDAP is required? I think this part might be my issue

     

    thanks



  • 6.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 04, 2016 01:27 AM
    What does the alert tab show?


  • 7.  RE: Onboard process isnt working, missing something

    Posted Jul 04, 2016 01:30 AM

    It shows that the user couldnt be found.

    ScreenHunter_22 Jul. 04 15.28.jpg

    It then tries with the machine account after this fails, which of course fails to



  • 8.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 04, 2016 09:22 AM
    The error is Unknown CA. If you're going to be doing single SSID onboard, you'll need a publicly signed RADIUS server certificate.


  • 9.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 05, 2016 02:51 AM

    The message "fatal alert by client - unknown_ca" means that the client has been provisioned with TLS settings, however it could not validate the (ClearPass) RADIUS server certificate. You will need to fix that in the Trust Settings in ClearPass; or validate that it is indeed the trust settings by unchecking the 'validate server certificate' in the 802.1X settings on the client.

     

    The unkown user messages mean that ClearPass could not find the onboard user in neither of the three listed authentication sources, which also worries me a bit as it may result that if you get the certificate trust correctly configured, authentication may still fail on the validation of the user in AD (non existent). With what kind of user wer you onboarding?? Is that an AD users?

     

    The method of authentication configured in your Instant AP Captive portal config is not really relevant, as it is not used for Onboarding. Normal captive portals do a Web Authentication to get access to the network; when Onboarding, before the moment you would do the web authentication you are switching to EAP-TLS. So you might even set it to the Internal user database on your Instant.

     

    To me it seems that it probably makes sense to have someone (from Aruba TAC) walking through your configuration together with you as from here it seems to require more than a single configuration change to make this work.

     

    Herman



  • 10.  RE: Onboard process isnt working, missing something

    EMPLOYEE
    Posted Jul 05, 2016 02:52 AM

    The message "fatal alert by client - unknown_ca" means that the client has been provisioned with TLS settings, however it could not validate the (ClearPass) RADIUS server certificate. You will need to fix that in the Trust Settings in ClearPass; or validate that it is indeed the trust settings by unchecking the 'validate server certificate' in the 802.1X settings on the client.

     

    The unkown user messages mean that ClearPass could not find the onboard user in neither of the three listed authentication sources, which also worries me a bit as it may result that if you get the certificate trust correctly configured, authentication may still fail on the validation of the user in AD (non existent). With what kind of user wer you onboarding?? Is that an AD user?

     

    The method of authentication configured in your Instant AP Captive portal config is not really relevant, as it is not used for Onboarding. Normal captive portals do a Web Authentication to get access to the network; when Onboarding, before the moment you would do the web authentication you are switching to EAP-TLS. So you might even set it to the Internal user database on your Instant.

     

    To me it seems that it probably makes sense to have someone (from Aruba TAC) walking through your configuration together with you as from here it seems to require more than a single configuration change to make this work.

     

    Herman



  • 11.  RE: Onboard process isnt working, missing something

    Posted Jul 11, 2016 01:51 AM

    Hi Herman

    I ended up logging a TAC case where they found the issue.

    In the provisioning, i didnt have the authentication methods correct, Set to EAP TLS and EAP PEAP as well as the enforcement policy equals outermethod EAP-TLS enforce policy post-provisioning. 

    I had to also make some adjustments of the quickconnect profile package but its all working now


    Cheers

    David