Security

Reply
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Clearpass Onboarded device should not connect to other 802.1x ssid

[ Edited ]

 

Hi ,

 

I am configuring onboard ssid  and normal 802.1x ssid . Requirement is like once the device is onboarded if it connects to normal 802.1x ssid it should get restricted access vlan. I am trying to search proper attribute which can defferentiate onboarded user . There is no rule like if Authorization: onaboard repository device mac/user exists...I can see only owner option for such rule

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

If you are using TLS you could create a policy that only TLS connection type could connect vs PEAP 

Tag it under the Role Mapping:

 

2014-03-04 08_11_01-ClearPass Policy Manager - Aruba Networks.png

 

And then apply the policy

 

2014-03-04 08_13_01-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass Onboarded device should not connect 802.1 ssid

Yep I was thinkig on the same lines

Tried with TLS but was not able to do the authentication properly . Initial requirement was to do onbaording and domain machine 802.1x on same ssid. but I was not able to do it.

instead of troubleshooting I am trying to go with two ssids and limit access to onboarded machines on other 802.1x ssid

Any other method apart from TLS ??

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Clearpass Onboarded device should not connect 802.1 ssid

What was the error you were seeing when authentication failed?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

Can you please share how do you have your service configured ?

 

Is it failing during the pre/post provisioning process ? or after its been provisioned ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

I dont remember the exact error but it included unknown_ca

 

Setup is : CPPM is intermediate CA , Root CA is customer CA 

While doing TLS there was some certificate coming into picture which was issued by unknown CA : Communication Server

 

I am not confident on TLS configuration 

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Clearpass Onboarded device should not connect 802.1 ssid

Unknown CA means the client doesn't have the Root CA configured/trusted.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass Onboarded device should not connect 802.1 ssid

Hi Tim,

 

It will be great help if you can share TLS - CPPM config and end client config .

I shall share exact error details tomorrow once I get  access to CPPM

 

-harshad

Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Clearpass Onboarded device should not connect 802.1 ssid

Are you going through the full onboard process with the device? The root CA should be installed as part of that process.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 109
Registered: ‎01-01-2012

Re: Clearpass Onboarded device should not connect 802.1 ssid

Yes that device has root CA cert

 

In windows client settings I am selectiing outer method : smart card or cert..

and under validate server cert : the CA cert is present and checked..

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: