Security

Reply
Frequent Contributor I
Posts: 98
Registered: ‎01-27-2015

802.1x Authentication with onboard

I configured onboard on Clearpass and Ipad was installed profile and certificate (Clearpass act as CA). 

 

I try to test 802.1X authentication. Authentication method is EAP-TLS but login status is reject because there is some alert.

 

"Certificate Status unknown, Reason (UNKNOWN)
EAP-TLS: fatal alert by server - certificate_unknown
eap-tls: Error in establishing TLS session"

 

 

Is it about CA on clearpass or not?

 

MVP
Posts: 554
Registered: ‎11-04-2011

Re: 802.1x Authentication with onboard

The message EAP-TLS: fatal alert by server - certificate_unknown

means that your ClearPass (server) did not trust the client certificate that was sent by your client.

Please check from here that the issuing CA (your Onboard CA, full chain) is in the ClearPass Trust list and enabled, and possible that the certificate revocation is possible (or disable revocation check for now).

This is a bit strange, as when you configure your Onboard CA, it should be injected in the trust-list automatically. Also check the time/date/clock on client and ClearPass and other components like the controller/AP.

Does this give you enough to continue troubleshooting? If not, it may help to get Aruba TAC involved as this does not look right.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Aruba Employee
Posts: 18
Registered: ‎04-28-2009

Re: 802.1x Authentication with onboard

It appears that you have used authentication method - [EAP TLS With OCSP Enabled] but does not have appropriate OCSP URL configured. 

 

Please try with [EAP TLS] authentication method in the Onboard 802.1x service and let us know an update.

Frequent Contributor I
Posts: 98
Registered: ‎01-27-2015

Re: 802.1x Authentication with onboard

Hello Herman robers,

After I changed common name on CA from name to IP address of clearpass. It works ! user authentication is successful. but I had a little concern. Now we provision device via http. Actually It is not secure so I try to force user using https instead http.

The result is IOS device cannot install profile. There is alert that It shows "the server certificate is invalid" How I solve it? Is public certificate require?

Thank you

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: 802.1x Authentication with onboard

You should not be using an IP address in the certificate. The HTTPs certificate needs to be publicly signed.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: 802.1x Authentication with onboard

You should not be using an IP address in the certificate. The HTTPs certificate needs to be publicly signed.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 98
Registered: ‎01-27-2015

Re: 802.1x Authentication with onboard

What is different between TLS with OCSP and TLS? I remember that when I configured I have to copy OCSP URL and place it on TLS with OCSP (In configuration > authentication > method)

Suggest me please

MVP
Posts: 554
Registered: ‎11-04-2011

Re: 802.1x Authentication with onboard

Where exactly did you change the Common Name? There CN's in more than 1 place.

 

OCSP = Online Certificate Status Protocol; which is a method of validating that the certificate is still valid. My suggestion to use the EAP-TLS method (without OCSP checking) was to rule out if your issue was caused by the OCSP checking.

 

I'd suggest that you seek assistance (partner,  Aruba TAC) in getting this designed right. This isn't something that you should fix by trial-and-error, you need to have it designed right in the first place. In the case that you really want to do it yourself, please read and understand the ClearPass Certificates 101 Technote. Setting up Onboarding and TLS authentication is not difficult, but it must be done right from the beginning.

 

What you will probably end up with:

- ClearPass HTTPS certificate public trusted, signed by a public CA; this is needed to get IOS onboarding to work most reliable, and to avoid certificate errors for still unconfigured (pre-onboarding) clients.

- ClearPass RADIUS certificate can be either from your private CA or from a public CA; check the Technote on when to pick what.

- Client certificates issued by the ClearPass Onboard internal CA (only need to be trusted by ClearPass); OCSP URL set to http://127.0.0.1/guest/mdps_ocsp.php/4 where 4 is the internal number of your CA.

 

My sincere apologies if I sound rude, Certificates appear to be challenging in general and if you do it right it works perfectly. If you make a small error in the beginning of the process it will chase you to the end. And as things depend on the details, it is highly unlikely that this forum will give you the most optimal solution. Your ClearPass partner, local Aruba SE, or the Aruba TAC can go with you through the details and find the optimal solution for your deployment.

 

I started a video series on ClearPass hands-on yesterday that at a certain point will cover certificates as well; however, the certificate coverage may be few weeks out from now as I have limited time to produce those videos. Onboarding will be covered probably within 1-2 months. I expect that you can't wait for that long.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: