Controllerless Networks

Reply
Contributor I
Posts: 28
Registered: ‎06-24-2015

Onboard process isnt working, missing something

Hi

I hope someone can help please. I am setting up onboarding but it doesnt seem to work on the first authentication.

The envionment is clearpass 6.6. IAPs. Active directory. What im trying to achieve is active directory users can connect to BYOD and log in to onboard their devices. Then it downloads cert and details so they dont need to login again.

 

Basically what ive setup so far-

1. Added the clearpass to the AD

2. Setup an AD authentication source using LDAP. 

3. Setup a service for Pre-Auth

ScreenHunter_17 Jul. 04 14.20.jpg

4. Setup a Authorization service

ScreenHunter_18 Jul. 04 14.21.jpg

5. Setup a provision service-

ScreenHunter_19 Jul. 04 14.23.jpg

 

On the IAP i have setup the following

pre auth role-

ScreenHunter_20 Jul. 04 14.24.jpg

captive portal setup as-

ScreenHunter_21 Jul. 04 14.25.jpg

 

Should i be using RADIUS auth rather then AD(LDAP) auth?

Ive followed the following article but it then goes off on creating a local user-

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-use-Onboard-with-single-SSID-on-IAP/ta-p/187404

thanks


David

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Onboard process isnt working, missing something

Yes, RADIUS is used between the IAP and ClearPass.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 28
Registered: ‎06-24-2015

Re: Onboard process isnt working, missing something

Hi Tim

 

Thanks, but what about the clearpass to AD piece?

Its not working at the moment and i dont see anything in the logs.

thanks


David

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Onboard process isnt working, missing something

Which part isn't working? The initial PEAP authentication, the onboard preauth, the onboard enrollment or the final EAP-TLS auth?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 28
Registered: ‎06-24-2015

Re: Onboard process isnt working, missing something

I connect to the BYOD network, it prompts me for a username and pwd. I enter AD user/pwd and it doesnt work.

What level of account for the authentication source of AD LDAP is required? I think this part might be my issue

 

thanks

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Onboard process isnt working, missing something

What does the alert tab show?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 28
Registered: ‎06-24-2015

Re: Onboard process isnt working, missing something

It shows that the user couldnt be found.

ScreenHunter_22 Jul. 04 15.28.jpg

It then tries with the machine account after this fails, which of course fails to

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Onboard process isnt working, missing something

The error is Unknown CA. If you're going to be doing single SSID onboard, you'll need a publicly signed RADIUS server certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 554
Registered: ‎11-04-2011

Re: Onboard process isnt working, missing something

The message "fatal alert by client - unknown_ca" means that the client has been provisioned with TLS settings, however it could not validate the (ClearPass) RADIUS server certificate. You will need to fix that in the Trust Settings in ClearPass; or validate that it is indeed the trust settings by unchecking the 'validate server certificate' in the 802.1X settings on the client.

 

The unkown user messages mean that ClearPass could not find the onboard user in neither of the three listed authentication sources, which also worries me a bit as it may result that if you get the certificate trust correctly configured, authentication may still fail on the validation of the user in AD (non existent). With what kind of user wer you onboarding?? Is that an AD users?

 

The method of authentication configured in your Instant AP Captive portal config is not really relevant, as it is not used for Onboarding. Normal captive portals do a Web Authentication to get access to the network; when Onboarding, before the moment you would do the web authentication you are switching to EAP-TLS. So you might even set it to the Internal user database on your Instant.

 

To me it seems that it probably makes sense to have someone (from Aruba TAC) walking through your configuration together with you as from here it seems to require more than a single configuration change to make this work.

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
MVP
Posts: 554
Registered: ‎11-04-2011

Re: Onboard process isnt working, missing something

The message "fatal alert by client - unknown_ca" means that the client has been provisioned with TLS settings, however it could not validate the (ClearPass) RADIUS server certificate. You will need to fix that in the Trust Settings in ClearPass; or validate that it is indeed the trust settings by unchecking the 'validate server certificate' in the 802.1X settings on the client.

 

The unkown user messages mean that ClearPass could not find the onboard user in neither of the three listed authentication sources, which also worries me a bit as it may result that if you get the certificate trust correctly configured, authentication may still fail on the validation of the user in AD (non existent). With what kind of user wer you onboarding?? Is that an AD user?

 

The method of authentication configured in your Instant AP Captive portal config is not really relevant, as it is not used for Onboarding. Normal captive portals do a Web Authentication to get access to the network; when Onboarding, before the moment you would do the web authentication you are switching to EAP-TLS. So you might even set it to the Internal user database on your Instant.

 

To me it seems that it probably makes sense to have someone (from Aruba TAC) walking through your configuration together with you as from here it seems to require more than a single configuration change to make this work.

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: