10-03-2013 04:55 AM
I am getting an error while autenticating on windows 7 :
Access tracker says..
EAP-PEAP: fatal alert by client - unknown_ca
This means that i need to have a certificate on Clearpass that is recognised?
Also I need to know how to create a basic policy to say that if the device is an Iphone it only goes to a guest role ( for example http,https) that is already created on aruba controlller side.
Could you help
Solved! Go to Solution.
10-03-2013 05:03 AM
10-03-2013 05:26 AM
This can be a certificate error on the client. The SSID profile is probably not set to trust the correct certificate.
In the SSID profile on your Windows machine make sure that the Root CA you are using for your ClearPass is checked as the trusted CA.
Also, depending on what cert you are using for your ClearPass (the Apache server), if it is a commercial cert make sure that the entire trust chain is visible under ClearPass > Configuration > Certificates > Server Certificate
Check this post. tarnold gave a really nice screen shot of what your server certificate should look like when using a commercial CA.
Was this device connected using the Onboard process? Or did you manually setup an SSID profile on your Windows?
As for your Apple device, you can accomplish by using your Role Mappings. Then with your Enforcement Profile you can evaluate the TIPS role and if the TIPS role is equal to [Onboard iOS] then place it into your Guest Role and VLAN. I think there is a screen shot of this in one of your previous posts.
10-03-2013 11:26 AM
i follow the guide for integrate aruba wireless with clearpass (explending by the way)
I assume that the certificate was generated by clearpass himself .
I need to have a commercial one?
alternally could I change clearpass 802.1x to not to ask for certificate?
regarding iphones and android, is there any info on how to implement roles on them ? ( corporte user connects to wlan and because its identified the device as an iphone, goes to a guest role....
regards and thanks guys ;)
10-03-2013 11:50 AM
You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.
If you do not have a commercial CA the Onboarding of Apple devices will fail.
On Windows, and Android you don't have to worry what certificate you use.
This is the certificate for the ClearPass (Apache server) itself by the way. Not the certificate for the Onboard.
I am not sure if there is a guide that takes it step by step.
Simple explanation would be.
- Create a service. Alternatively you can add this functionality to an existing service.
- On the 'Roles' tab of your service from the dropdown menu select the default 'Onboard Authorization'. This contains all some basic role mapping rules. You can customize this though to your needs.
- Create an Enforcement Policy that evaluated the 'TIPS Role' of the device. The CPPM will have given a TIPS role based on the rules in the role mapping 'Onboard Authorization'.
- Then match your Enforcement Policy up with an Enforcement Profile that sends back a RADIUS response with the correct 'User Role' and 'VLAN'. The User Role would be equal to a role that you created on your Aruba controller.
You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).
I believe some of the default template services might give you a good visual representation of what you have to do as well.
Hopefully this helps a little though.
10-03-2013 11:51 AM - edited 10-03-2013 12:16 PM
If you are only doing 802.1X PEAP authentication, not onboarding, and want to use the built-in certificate, you would need to disable server certificate validation in the supplicant settings on each client. (None of this is recommended by the way)
10-03-2013 12:20 PM
10-03-2013 12:23 PM
10-03-2013 12:31 PM
You could also export the certificate from the CPPM and install it on all your domain machines.
We had experimented with this initially before we received our commerical CA and it worked well (under Windows).
But as cappalli suggested if you already have a private CA that is trusted use it!