Security

Hi,

 

I am getting an error while autenticating on windows 7 :

 

Access tracker says..

EAP-PEAP: fatal alert by client - unknown_ca

 

This means that i need to have a certificate on Clearpass that is recognised?

 

 

Also I need to know how to create a basic policy to say that if the device is an Iphone it only goes to a guest role ( for example http,https) that is already created on aruba controlller side.

 

Could you help

 

Regards

Make sure you upload the entire certificate trust chain (intermediate and Root CA certificates).

This can be a certificate error on the client. The SSID profile is probably not set to trust the correct certificate.

 

In the SSID profile on your Windows machine make sure that the Root CA you are using for your ClearPass is checked as the trusted CA.

 

Also, depending on what cert you are using for your ClearPass (the Apache server), if it is a commercial cert make sure that the entire trust chain is visible under ClearPass > Configuration > Certificates > Server Certificate

 

Check this post. tarnold gave a really nice screen shot of what your server certificate should look like when using a commercial CA.

 

Was this device connected using the Onboard process? Or did you manually setup an SSID profile on your Windows?

 

As for your Apple device, you can accomplish by using your Role Mappings. Then with your Enforcement Profile you can evaluate the TIPS role and if the TIPS role is equal to [Onboard iOS] then place it into your Guest Role and VLAN. I think there is a screen shot of this in one of your previous posts.

hi

 

i follow the guide for integrate aruba wireless with clearpass (explending by the way) 

 

I assume that the certificate was generated by clearpass himself .

 

I need to have a commercial one?

 

alternally could I change clearpass 802.1x to not to ask for certificate?

 

regarding iphones and android, is there any info on how to implement roles on them ? ( corporte user connects to wlan and because its identified the device as an iphone, goes to a guest role....

 

 

regards and thanks guys ;)

 

 

 

 

 

 

 

 

 

 

 

You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.

 

If you do not have a commercial CA the Onboarding of Apple devices will fail.

 

On Windows, and Android you don't have to worry what certificate you use.

 

This is the certificate for the ClearPass (Apache server)  itself by the way. Not the certificate for the Onboard.

 

I am not sure if there is a guide that takes it step by step.

 

Simple explanation would be.

 

 

1. Create a  service. Alternatively you can add this functionality to an existing service.
2. On the 'Roles' tab of your service from the dropdown menu select the default 'Onboard Authorization'. This contains all some basic role mapping rules. You can customize this though to your needs.
3. Create an Enforcement Policy that evaluated the 'TIPS Role' of the device. The CPPM will have given a TIPS role based on the rules in the role mapping 'Onboard Authorization'.
4. Then match your Enforcement Policy up with an Enforcement Profile that sends back a RADIUS response with the correct 'User Role' and 'VLAN'. The User Role would be equal to a role that you created on your Aruba controller.

You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).

 

I believe some of the default template services might give you a good visual representation of what you have to do as well.

 

Hopefully this helps a little though.

 

Cheers

If you are only doing 802.1X PEAP authentication, not onboarding, and want to use the built-in certificate, you would need to disable server certificate validation in the supplicant settings on each client. (None of this is recommended by the way)

 

thank you both for help... we are not using onboard.. we only have base policy manager and clearpass guest .. using the embebbed certificate i connect to devices except for windows ones those give can't connect to the network.. since we have several clients, is not secure and efficient to remoe the validation.. But apple devices connect and ask for the. "clearpass certificate" , we accept and then connects ok. so I guess the only way for this to work under windows with security, is to have and install an alternative commercial certificate correct? regards

Either install a commercial cert or if you are in a domain environment,
use an internal private Certificate Authority that is already trusted by
the clients.

You could also export the certificate from the CPPM and install it on all your domain machines.

We had experimented with this initially before we received our commerical CA and it worked well (under Windows).

 

But as cappalli suggested if you already have a private CA that is trusted use it!

solved..

 

Imported ssl certificates from the AD

 

Thanks

Hi Cappalli,

 

Does exist another way for to by pass the server certificate validation in supplicant setting perhaps with another 802.1x auth method

 

my schem :  supplicant -> controller -> cppm (termination)-> AD

 

Or a script for configure the "windows" supplicant ?

 

Regards

 

Yann

 

All tunneled EAP methods require server verification. 

Are your machines joined to an AD domain? 


Thanks, 
Tim

Hi Cappalli,

 

no i haven't machine in the domain because they are not corporate computers.

 

I find a solution, if i configure the RADIUS termination on my controller (as below) and i configure a MSCHAP method auth in Clearpass service (as below).

 

And now, the machine have a only one warning message about de securelogin.arubanetworks.com and after they can connect.

 

 

 

Regards

 

Yann

You should use MS-CHAPv2.

 

Using the default controller certificate is not best practice.

Hi,

 

I haven't MSCHAP-V2 in the method auth list, i have only EAP-MSCHAPV2 and when I test with it, it's doesn't work, i get a alert message in access tracker : 

 

RADIUS

Cannot select appropriate authentication method

 

Regards

 

Yann