Security

Reply
Frequent Contributor I

ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Hi All,

 

I have a dual ssid onboard configuration with the goal of:

 

  1. Log into guest ssid
  2. click on register your device
  3. login with onboard "guest" credentials
  4. run through cert and profile installation process
  5. switch to different secured SSID with 802.1x TLS

Everything works up until step 5. I get the profiles and certs, it says the device is provisioned, but the device never switches over to the other SSID. Access tracker shows a failure with "Service categorization not found". Isnt the "Onboard Authorization" service supposed to be used for this step? 

 

N

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Onboard authorization is used during the Onboard process. You need a service
to handle your 802.1X authentications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Onboard authorization is used during the Onboard process. You need a service
to handle your 802.1X authentications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS


Victor Fabian wrote:
Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS

I did have it listed in the "Onboard Provisioning" service, but noticed that the SSID was incorrectly entered. Thank you for that.

 

Now when I try to connect I get the error in access tracker: "

RADIUSEAP-TLS: fatal alert by server - unknown_ca
eap-tls: Error in establishing TLS session"

Does the controller also need a certificate?

 

 

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

What type client is this ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

What type client is this ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

It was both IOS and Android. After struggling with documentation for a few hours and redoing the same thing over and over I called TAC.

 

It turns out that for whatever reason, the certificate being installed on devices did not include the entire chain of certificates. Every new root CA I tried it on had this issue. When I switched to the default CA included out of the box with CP/Onboard it worked just fine.

 

In the meantime I will just use the built in root CA, I believe TAC said they would file a bug.

 

N

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: