Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Onboarded device should not connect to other 802.1x ssid

This thread has been viewed 0 times

  • 1.  Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:07 AM

     

    Hi ,

     

    I am configuring onboard ssid  and normal 802.1x ssid . Requirement is like once the device is onboarded if it connects to normal 802.1x ssid it should get restricted access vlan. I am trying to search proper attribute which can defferentiate onboarded user . There is no rule like if Authorization: onaboard repository device mac/user exists...I can see only owner option for such rule



  • 2.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:14 AM

     

    If you are using TLS you could create a policy that only TLS connection type could connect vs PEAP 

    Tag it under the Role Mapping:

     

    2014-03-04 08_11_01-ClearPass Policy Manager - Aruba Networks.png

     

    And then apply the policy

     

    2014-03-04 08_13_01-ClearPass Policy Manager - Aruba Networks.png



  • 3.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:18 AM

    Yep I was thinkig on the same lines

    Tried with TLS but was not able to do the authentication properly . Initial requirement was to do onbaording and domain machine 802.1x on same ssid. but I was not able to do it.

    instead of troubleshooting I am trying to go with two ssids and limit access to onboarded machines on other 802.1x ssid

    Any other method apart from TLS ??



  • 4.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    EMPLOYEE
    Posted Mar 04, 2014 08:20 AM

    What was the error you were seeing when authentication failed?



  • 5.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:24 AM

     

    I dont remember the exact error but it included unknown_ca

     

    Setup is : CPPM is intermediate CA , Root CA is customer CA 

    While doing TLS there was some certificate coming into picture which was issued by unknown CA : Communication Server

     

    I am not confident on TLS configuration 



  • 6.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    EMPLOYEE
    Posted Mar 04, 2014 08:25 AM

    Unknown CA means the client doesn't have the Root CA configured/trusted.



  • 7.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:27 AM

    Hi Tim,

     

    It will be great help if you can share TLS - CPPM config and end client config .

    I shall share exact error details tomorrow once I get  access to CPPM

     

    -harshad



  • 8.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    EMPLOYEE
    Posted Mar 04, 2014 08:29 AM

    Are you going through the full onboard process with the device? The root CA should be installed as part of that process.



  • 9.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:37 AM

    Yes that device has root CA cert

     

    In windows client settings I am selectiing outer method : smart card or cert..

    and under validate server cert : the CA cert is present and checked..

     

     



  • 10.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 06:34 PM

    Are you using quickconnect to go through the onboarding process ?


  • 11.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    EMPLOYEE
    Posted Mar 04, 2014 07:07 PM

    It might not be the Root that the device is not trusting. there might also be an intermediate. Make sure you combine the certs or choose manual trust on the network settings. 

     

    See this post

     

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/TLS-authentication-issue-EAP-TLS-warning-alert-by-client-close/m-p/141491/highlight/true#M10018

     

     

     

     



  • 12.  RE: Clearpass Onboarded device should not connect to other 802.1x ssid

    Posted Mar 04, 2014 08:24 AM

     

    Can you please share how do you have your service configured ?

     

    Is it failing during the pre/post provisioning process ? or after its been provisioned ?