Security

Hey All,

 

I'm having a tough time getting an Android device to authenticate through a Cisco WLC (ver 8.2) to CPPM (ver 6.5.3) with EAP-TLS.

 

Our configuration works fine for Windows and Mac laptops, Apple iOS devices, and Windows phones. It is only the Android devices that are not working.

 

We have an older Trapeze controller (remember these?) system that we are replacing. It works great with the Android devices.

 

I've been working very closely with the Cisco team and have gathered traces in the air and on the wire. It looks like the certificate is reaching CPPM. It's just not handling the request. I was thinking about upgrading the version of CPPM to see if that helps. I'll also open a case with Aruba support.

 

Has anyone else experienced this issue?

 

--Patrick

 

There is a huge variablility with device configuration for EAP-TLS on android.  Depending on the manufacturer (generic android, HTC, Samsung), the EAP-TLS supplicant configuration will be different.  Did you import the CA certificate as well as the client certificate on the Android device?

We have a variety is Android device vendors to test with. I don't have a list of them now. None are working with the Cisco/CPPM setup. These same devices work fine if we take them to one of the locations with the older Trapeze/CPPM setup.

 

I'll double check the certificate but I do think that the CA cert is installed on each device.

The controller should not really matter because it is just a radius passthrough, unless you are doing EAP termination on the trapeze controller.

I figured this out.  It turned out to be an issue with how certificates are being deployed by our MDM solution which is Mobile Iron. I removed all Mobile Iron configs and manually placed a cert on the device and everything works well. I sustect that our MDM solution is not getting the intermediate or root cert in place. I will work with our Mobile Iron admins to figure that out.