Security

Reply
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Clearpass 802.1x certificate

Hi,

 

I am getting an error while autenticating on windows 7 :

 

Access tracker says..

EAP-PEAP: fatal alert by client - unknown_ca

 

This means that i need to have a certificate on Clearpass that is recognised?

 

 

Also I need to know how to create a basic policy to say that if the device is an Iphone it only goes to a guest role ( for example http,https) that is already created on aruba controlller side.

 

Could you help

 

Regards

Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: Clearpass 802.1x certificate

Make sure you upload the entire certificate trust chain (intermediate and Root CA certificates).


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: Clearpass 802.1x certificate

This can be a certificate error on the client. The SSID profile is probably not set to trust the correct certificate.

 

In the SSID profile on your Windows machine make sure that the Root CA you are using for your ClearPass is checked as the trusted CA.

 

Also, depending on what cert you are using for your ClearPass (the Apache server), if it is a commercial cert make sure that the entire trust chain is visible under ClearPass > Configuration > Certificates > Server Certificate

 

Check this post. tarnold gave a really nice screen shot of what your server certificate should look like when using a commercial CA.

 

Was this device connected using the Onboard process? Or did you manually setup an SSID profile on your Windows?

 

As for your Apple device, you can accomplish by using your Role Mappings. Then with your Enforcement Profile you can evaluate the TIPS role and if the TIPS role is equal to [Onboard iOS] then place it into your Guest Role and VLAN. I think there is a screen shot of this in one of your previous posts.

Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass 802.1x certificate

hi

 

i follow the guide for integrate aruba wireless with clearpass (explending by the way) 

 

I assume that the certificate was generated by clearpass himself .

 

I need to have a commercial one?

 

alternally could I change clearpass 802.1x to not to ask for certificate?

 

regarding iphones and android, is there any info on how to implement roles on them ? ( corporte user connects to wlan and because its identified the device as an iphone, goes to a guest role....

 

 

regards and thanks guys ;)

 

 

 

 

 

 

 

 

 

 

 

Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: Clearpass 802.1x certificate

You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.

 

If you do not have a commercial CA the Onboarding of Apple devices will fail.

 

On Windows, and Android you don't have to worry what certificate you use.

 

This is the certificate for the ClearPass (Apache server)  itself by the way. Not the certificate for the Onboard.

 

I am not sure if there is a guide that takes it step by step.

 

Simple explanation would be.

 

 

  1. Create a  service. Alternatively you can add this functionality to an existing service.
  2. On the 'Roles' tab of your service from the dropdown menu select the default 'Onboard Authorization'. This contains all some basic role mapping rules. You can customize this though to your needs.
  3. Create an Enforcement Policy that evaluated the 'TIPS Role' of the device. The CPPM will have given a TIPS role based on the rules in the role mapping 'Onboard Authorization'.
  4. Then match your Enforcement Policy up with an Enforcement Profile that sends back a RADIUS response with the correct 'User Role' and 'VLAN'. The User Role would be equal to a role that you created on your Aruba controller.

You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).

 

I believe some of the default template services might give you a good visual representation of what you have to do as well.

 

Hopefully this helps a little though.

 

Cheers

Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: Clearpass 802.1x certificate

[ Edited ]

If you are only doing 802.1X PEAP authentication, not onboarding, and want to use the built-in certificate, you would need to disable server certificate validation in the supplicant settings on each client. (None of this is recommended by the way)

 

server-verification.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass 802.1x certificate

thank you both for help... we are not using onboard.. we only have base policy manager and clearpass guest .. using the embebbed certificate i connect to devices except for windows ones those give can't connect to the network.. since we have several clients, is not secure and efficient to remoe the validation.. But apple devices connect and ask for the. "clearpass certificate" , we accept and then connects ok. so I guess the only way for this to work under windows with security, is to have and install an alternative commercial certificate correct? regards
Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: Clearpass 802.1x certificate

Either install a commercial cert or if you are in a domain environment,
use an internal private Certificate Authority that is already trusted by
the clients.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: Clearpass 802.1x certificate

You could also export the certificate from the CPPM and install it on all your domain machines.

We had experimented with this initially before we received our commerical CA and it worked well (under Windows).

 

But as cappalli suggested if you already have a private CA that is trusted use it!

Regular Contributor II
Posts: 201
Registered: ‎01-30-2013

Re: Clearpass 802.1x certificate

solved..

 

Imported ssl certificates from the AD

 

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: