Security

Reply
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Hi All,

 

I have a dual ssid onboard configuration with the goal of:

 

  1. Log into guest ssid
  2. click on register your device
  3. login with onboard "guest" credentials
  4. run through cert and profile installation process
  5. switch to different secured SSID with 802.1x TLS

Everything works up until step 5. I get the profiles and certs, it says the device is provisioned, but the device never switches over to the other SSID. Access tracker shows a failure with "Service categorization not found". Isnt the "Onboard Authorization" service supposed to be used for this step? 

 

N

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Onboard authorization is used during the Onboard process. You need a service
to handle your 802.1X authentications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

Onboard authorization is used during the Onboard process. You need a service
to handle your 802.1X authentications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS


Victor Fabian wrote:
Do you have a service matching the 802.1x SSID configured in the device ?

Get Outlook for iOS

I did have it listed in the "Onboard Provisioning" service, but noticed that the SSID was incorrectly entered. Thank you for that.

 

Now when I try to connect I get the error in access tracker: "

RADIUSEAP-TLS: fatal alert by server - unknown_ca
eap-tls: Error in establishing TLS session"

Does the controller also need a certificate?

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

What type client is this ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

What type client is this ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 76
Registered: ‎12-07-2015

Re: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

It was both IOS and Android. After struggling with documentation for a few hours and redoing the same thing over and over I called TAC.

 

It turns out that for whatever reason, the certificate being installed on devices did not include the entire chain of certificates. Every new root CA I tried it on had this issue. When I switched to the default CA included out of the box with CP/Onboard it worked just fine.

 

In the meantime I will just use the built in root CA, I believe TAC said they would file a bug.

 

N

Search Airheads
Showing results for 
Search instead for 
Did you mean: