06-10-2013 06:14 AM
I've a problem OnBoarding Android devices on customer site.
I've CPPM 6.0.1 running (now upgrading to 6.1.0; maybe it helps?).
Configuration work well for i*device and OSX.
But for Asus Nexus with Android OS is problem:
- connect to ESSID
- authenticate with user/pass
- do OnBoarding with app from Google Play
- when reconnecting then in CPPM Access Tracket there's REJECT with error "RADIUS: EAP-PEAP: fatal alert by client - unknown_ca"
On client's device looks, that CA from CPPM was installed before.
Please give me any idea about it.
06-11-2013 01:38 AM
I've installed CPPM_6.1.0 yesterday and made configuration from the scratch.
Now Android work fine with OnBoarding, BUT....
...I've problem with iOS devices.
OnBoarding done OK, but when reconnecting to ESSID there is an error in CPPM:
RADIUS: Could not verify OCSP response EAP-TLS: fatal alert by server - certificate_unknown
Have any idea what's wrong ?
06-11-2013 03:46 AM
I've workaround, but it's not solving the problem.
I changed in CPPM:
Services - Onboard Provisioning - Aruba
- Authentication - Authentication Method:
REMOVE: EAP-TLS with OCSP Enables
It now works for iOS.
06-12-2013 02:46 PM
You probably will want to open a TAC case on this one; TLS is a pain and there are so many little things that could go wrong that it will be almost impossible to troubleshoot over the messageboard.
My guess is that the device has the OCSP URL embedded in the certificate and that URL no longer exists after upgrading. Try removing the profile from the IOS device and make sure that the root and device certificate are gone.
If you go to guest and look at the Onboard> Certificate Authority Settings look at the OCSP URL
That URL has to be resolvable by the device and if it doesn't match what is embedded in the certificate, Then you need to edit the TLS method in CPPM and use the certificate override felid putting in what matches on the guest side. This will override the embedded URL on the certificate and use the one specified.
IOS has some security things that they don't tell you about; Specifically if CPPM's server certificate is signed by a root that does not contain a common name, then it will fail.
Right now entrust (godaddy) and Verisign are signing certs that have roots without the CN. You have to specifically request one that does. I think we might have just started ignoring that problem in 6.1.1;
Again, This is only for the cert that signs the CPPM server, not the CA root configured in onboarding/guest.
Don't know if this is much help, but hey, at least someone responded :)