Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎10-19-2011

CPPM OnBoard for Androids

Hello AirHeads!

 

I've a problem OnBoarding Android devices on customer site.

I've CPPM 6.0.1 running (now upgrading to 6.1.0; maybe it helps?).

 

Configuration work well for i*device and OSX.

 

But for Asus Nexus with Android OS is problem:

- connect to ESSID

- authenticate with user/pass

- do OnBoarding with app from Google Play

BUT

- when reconnecting then in CPPM Access Tracket there's REJECT with error "RADIUS: EAP-PEAP: fatal alert by client - unknown_ca"

 

On client's device looks, that CA from CPPM was installed before.

 

Please give me any idea about it.

 

Thank you.

 

Jaroslav

Occasional Contributor II
Posts: 16
Registered: ‎10-19-2011

Re: CPPM OnBoard for Androids

Hello.

 

I've installed CPPM_6.1.0 yesterday and made configuration from the scratch.

 

Now Android work fine with OnBoarding, BUT....

...I've problem with iOS devices.

 

OnBoarding done OK, but when reconnecting to ESSID there is an error in CPPM:

RADIUS: Could not verify OCSP response EAP-TLS: fatal alert by server - certificate_unknown

 

Have any idea what's wrong ?

 

Thank you.

 

Jaroslav

Occasional Contributor II
Posts: 16
Registered: ‎10-19-2011

Re: CPPM OnBoard for Androids

Hello !

 

I've workaround, but it's not solving the problem.

 

I changed in CPPM:

Services - Onboard Provisioning - Aruba 

- Authentication - Authentication Method:

REMOVE:  EAP-TLS with OCSP Enables

ADD: EAP-TLS

 

It now works for iOS.

Jaroslav

Aruba Employee
Posts: 12
Registered: ‎10-24-2012

Re: CPPM OnBoard for Androids

You probably will want to open a TAC case on this one; TLS is a pain and there are so many little things that could go wrong that it will be almost impossible to troubleshoot over the messageboard.

 

My guess is that the device has the OCSP URL embedded in the certificate and that URL no longer exists after upgrading. Try removing the profile from the IOS device and make sure that the root and device certificate are gone.

Also

If you go to guest and look at the Onboard> Certificate Authority Settings look at the OCSP URL

That URL has to be resolvable by the device and if it doesn't match what is embedded in the certificate, Then you need to edit the TLS method in CPPM and use the certificate override felid putting in what matches on the guest side. This will override the embedded URL on the certificate and use the one specified.

 

Also

IOS has some security things that they don't tell you about; Specifically if CPPM's server certificate is signed by a root that does not contain a common name, then it will fail.

Right now entrust (godaddy) and Verisign are signing certs that have roots without the CN. You have to specifically request one that does. I think we might have just started ignoring that problem in 6.1.1;

 

Again, This is only for the cert that signs the CPPM server, not the CA root configured in onboarding/guest.

 

Don't know if this is much help, but hey, at least someone responded :)

 

 

 

 

Occasional Contributor II
Posts: 16
Registered: ‎10-19-2011

Re: CPPM OnBoard for Androids

Thank you for answer.

I'll check it.

 

Jaroslav

Search Airheads
Showing results for 
Search instead for 
Did you mean: