Security

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Hello All,

 

I'm currently attempting to setup a Customer to use 802.1X authentication with Active Directory (AD) as an Authentication and Authorization Source.

 

I have successfully integrated ClearPass PM to the AD Domain.

 

The 802.1X Wireless Service has been setup just fine.

 

However, when we attempt to connect the WLAN, we have to reauthenticate multiple times before this works. It generates like a "Certificate Error" and then requests if you need to terminate or connect. We have to click on connect multiple times when this error is prompted and then finally works.

 

When I look at the Access Tracker on CPPM, I notice that it seems the Laptop is sending a Machine Credential instead of a User Credential and we get the error message from CPPM stating "User Not Found". However when it finally works, we then see a User Credential was sent.

 

Is there something that I need to do in order for User Credentials to be sent instead of Machine Credentials?

 

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

If this is Windows 7, you would need to make sure:

 

(1) The client trusts the certificate of the ClearPass server (or uncheck Validate Server Certificate on the Windows 7 client)

(2) In the Advanced Settings for 802.1x on the Windows 7 client there is an option to submit user or machine credentials.  You can make it user only to avoid the second situation you are describing.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

As regards to trusting the CPPM Certificate, how do I go about this?

 

Secondly, if I attempt to set up the Client (PC/Laptop) with using User Credentials only, how do I address a situation where the Customer says that their Users are required to change their Domain Password every 3months? Does that mean that I have to then go back to every Client and change the "Password" under the Advanced Setting? Or is this done automatically?

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Let us back things up.  Did you issue a server certificate to CPPM?  If so, was it  from an internal CA or a public CA?  If it has not been done, that probably means you are using termination on the Aruba Controller, which means it is using Aruba's self-signed certificate.

 

You need to obtain a server certificate either (1) from the customer's internal CA or (2) a public CA that all the customer's clients trust and issue it to CPPM.

 

If that has been done, you need to do that before you go further.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

I suspected I would need to do that. 

 

I'll reach out to the Customer and address the Certificate issue.

 

Thanks again.

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Okay. So I decided to use run the Customer's Microsoft Active Directory as a Certificate Authority.

 

This worked for me.

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Awesome!


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 83
Registered: ‎09-29-2011

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Hi,

 

I'm looking for an HowTo for integrate Clearpass and Machine Auth with Microsoft Active Directory as a Certificate Authority.

do you have this ?

 

Regards

 

Yann

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

Hi Yann,

 

I don't have an Application Note for this integration.

 

But if you reference the Aruba ClearPass User Guide, it should be a good starting point.

However, it really depends on what you want to do.

 

I noticed you said you wanted to use AD as a Certificate Authority. Is this for Onboarding?

Guru Elite
Posts: 21,488
Registered: ‎03-29-2007

Re: ClearPass RADIUS Authentication issue using 802.1X Wireless Service


Yann Dorval wrote:

Hi,

 

I'm looking for an HowTo for integrate Clearpass and Machine Auth with Microsoft Active Directory as a Certificate Authority.

do you have this ?

 

Regards

 

Yann


Please see the guide here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TechNote-v1-3-Aruba-Wireless-and-ClearPass-6-Integration-Guide/ta-p/70714

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: