Security

Reply
Occasional Contributor II

ClearPass Onboard Single SSID

 

I used the solution exchange (beta) tool for  Wireless Onboard w/ Single SSID.

 

I started out simple by using a local account on ClearPass to perform an initial test to see if my config was working.  It worked, generating a certificate and all expected database entries. 

 

Issue is that I revoked and deleted the certificates from both ClearPass and the client.  I'm intending to repeat the entire onboarding process again with the client, but this time using an Active Directory source.

I can;t seem to get the controller to pass the auth request to ClearPass now.  The controller seems to be looking for a certificate before starting the authentication routine with ClearPass.

Nothing is seen in the ClearPass access tracker.  The client message in Win7 shows a message that a certificate is required, and access is denied.

 

Is there some cache or setting I need to change in the controller to allow for the same machine to basically start-over in the single SSID Onboard process?

 

I'm using ClearPass 6.2 and AOS 6.3

 

 

Regards,

Colin

 

 

 

 

Re: ClearPass Onboard Single SSID

The client is still in the user table most likely.  From ssh on the controller do a show user and then a "aaa user delete <ip address of client>" and retest

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II

Re: ClearPass Onboard Single SSID

Thanks Seth for the quick response.

 

I checked the user table and my client was not listed by ip

 

I did find it in the "show aaa device-id-cache" , which shows it by MAC address

However, I can't seem to figure out how to clear that table.  Deleting the user by MAC does not work.

 

I could still change my process and go to a provisioning SSID, instead of the single SSID.  If there are bugs in the AOS 6.3 related to single SSID BYOD with ClearPass, then I may need to switch to that immediately.

 

Regards,

Colin  

 

Aruba

Re: ClearPass Onboard Single SSID

I've been running 6.3 with no issues on a single SSID.

It sounds like the profile is still being held in the client device. Make sure you delete the SSID profile in the windows device. NOT just the cert.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: ClearPass Onboard Single SSID

Deleting the SSID profile worked.  Thanks a lot for the info.

 

 

Follow up questions:

Whenever a certificate is revoked, deleted or expired, it seems like the user will have to manually delete the SSID profile.  Is this a minor nuisance that must be accepted when using a single SSID?   (is there any workaround to reduce calls to IT, and make it more user friendly?)    

 

Thanks,

Colin 

 

Aruba

Re: ClearPass Onboard Single SSID

You can setup a role to force a user to reonboard based on expireation date of the cert. For example I have mine based on a 2 week time period.

 

expirecert1.png

 

Dave did a great post on how to set it up.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/m-p/95827#M6710

 

There are some features in 6.3 that will aslo help with this.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: ClearPass Onboard Single SSID

Hey tarnold.  This is good information.  So what action are you taking once a client is found that fits into this category?  Also can you elaboration on your statement about the 6.3 features that help out with this?  thx

Aruba

Re: ClearPass Onboard Single SSID

You can do one of two things

 

1. You can use the new feature in 6.3 that will send an email to the user that their cert is about to expire

 

2. You can use the same above plus the new feature so it will notify the user at a certian time and if they dont change the cert it will push them to the portal.

 

(per the .1x standard we are not alowed to allow a device to connect with an expired cert so this is a way to help prevent the user from just getting kicked off the network and not knowing why.)

 

 

 

expirecertnotify.png

 

So for example in my lab I have my certs expire every 60 days

 

1. Two weeks before my cert expires I will get an email each night telling me to get a new cert

 

2. If I dont or forget then starting 1 week before the expiration I will get automaticly sent to the provisioning page with the query in    Daves Post.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: ClearPass Onboard Single SSID

That looks like a great idea.  And when you say reprovision I assume it sends them to the same onboarding page that was used when they initially onboarded?  And that will detect that they already have a cert and just renew the existing cert?  I don't have a test 6.3 controller to test this but in the user guide i'm not seeing where to configure the feature we're discussing.  thanks for the time

Aruba

Re: ClearPass Onboard Single SSID

Question
1. Yes
2. Yes

What I am showing 6.3 CPPM beta you will not see the email part of it until the release
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: