Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎03-03-2014

Clearpass Onboard - Intermediate CA deployment problems

Hi,

 

I'm trying to deploy CP with onboard using it as an intermediate CA with a Microsoft  (MS) infrastucture. The domain is a .local and understand that its not possible to sign the DNS names using a trusted 3rd party like verisign.

 

However - I figure we should be able to sign the push and distribution certs using the internal CA as devices will have to manually add the internal root CA and intermediate CA (clearpass) before trying to enroll the device and complete the onboarding process.


I've encountered the following challenges:

 

a) It seems though this doesn't look to be possible?

b) Generating the push cert - doesn't look to be a standard CSR - however I did get it signed by apple - even though clearpass throws a warning.

c) Generation of the distribution cert (CSR) works and I have signed it on the MS Root CA using the web server template. When importing the certifcate though I'm getting the following error message :

 

- error 20 at 0 depth lookup:unable to get local issuer certificate

 

Has anyone deployed Clearpass in the same fashion? Is it even possible to achieve using onboard/onguard using Clearpass as an intermediate CA to provision devices and deploy certificates to so they can then authenicate to our Dot1x'd BYOD SSID?

 

I've read through the deployment guide and I've hit a wall so any help would be greatly appreciated.

 

 

 

 

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass Onboard - Intermediate CA deployment problems

What version of CPPM are you using? 

 

In 6.3 you should be able to since we split the Radius and HTTPS cert. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎03-03-2014

Re: Clearpass Onboard - Intermediate CA deployment problems

6.3

 

I don't see a way round the push and distribution certs though?

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass Onboard - Intermediate CA deployment problems

Did you look through Dannys Cert Doc.

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13375

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎03-03-2014

Re: Clearpass Onboard - Intermediate CA deployment problems

Yeah I found that while waiting on replies - it mensions another pdf to read ‘ADCS with ClearPass OnBoard’.

 

In the process of getting that

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass Onboard - Intermediate CA deployment problems

The issue with IOS devices is that the web server Cert needs be issued by a trusted CA.

 

So in your case you need to have the web server cert signed by a trusted CA.

 

The CA in the CP guest you need to do a CSR request and then import it in CP guest. Then walk through the provisioning settings where it will use the cert that was signed by the AD.

 

screenshot_01 Apr. 01 23.37.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎03-03-2014

Re: Clearpass Onboard - Intermediate CA deployment problems

Hi

 

I'm unable to find that tech document on the support site - are you able to see if it has been published?

 

RE: "There is another TechNote that specifically covers the configuration and  integration of ADCS called  ‘ADCS  with ClearPass OnBoard’."

 

 

Thanks

Nicholas

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: Clearpass Onboard - Intermediate CA deployment problems

Nicholas,

 

We've had a delay in posting the ADCS TchNote which explains why you can't see the doc..!!

 

In relation to your problem.....we can add CPPM to ADCS as an intermeditary....there are multiple steps that need to happen to ensure this works.....hopefully this list will get is going initially in the right direction.......

 

 

You need to ensure CPPM is added to the AD Domain, then modify the filter query in the attributes tab for the filter Authentication. Make it.....

 

 (&(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))

 

 

 

 

 

 

Next you need to create auth method that will query the OCSP reponder on ADCS in stead of the CPPM OCSP reposnder. So copy the EAP TLS with OCSP and amend the URL to point to http://ADCS_SERVER/ocsp (typically)......

 

 

Make sure any service you have created utilise the new auth-methods.

 

You need to ensure that you have your cert trust list consigured correctly, ensure you have downloaded the root cert + chain from ADCS  and this has been added to the trust list on CPPM.

 

This also needs to be added to the OnBoard cert store under Guest.

 

Then ensure that under Onboard provisioning you have set CPPM to use ADCS as the certificate 'signer'....

 

 

 

 

 

 

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎03-03-2014

Re: Clearpass Onboard - Intermediate CA deployment problems

[ Edited ]

Hi,

 

I believe I've setup all the CA stuff correctly, but I'm having trouble with the device enrollment and getting a certificate on an ipad. I can login to clearpass on the device provisioning page, download a profile (to which the IPAD trusts) but when installing the profile I'm getting an error 

 

"a connection to the server could not be established".

 

Does anyone have any thoughts? Is there a troubleshooting guide I can read to work through this problem? 

 

To make life simple the ACL on the role is an allow all and I can connect direct to the https://clearpass.domain.com/guest/mdps_profile.php URL manually... So what is it trying to connect to ?

 

The only thing that I can see that might be causing a problem - when trying to install the following error is seen on the clearpass access tracker ..  RADIUS request in Rejected  details :

 

 

Error Code:
204
Error Category:
Authentication failure
Error Message:
Failed to classify request to service
 Alerts for this Request  
RADIUSService Categorization failed
Moderator
Posts: 470
Registered: ‎11-09-2012

Re: Clearpass Onboard - Intermediate CA deployment problems

Did you use a self signed certificate?

I'd you did I recommend strongly that you get a public signed cert. things will be much easier.


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: