Security

Hello!

Have two installations with Amigopod 3.7 and IOS device provisioning, which both decided to stop working for clients following the recent IOS upgrade to 5.1.1.

Symptom: Registration push the profile and certificate to the IOS device, but doesn't show the completed part on the provisioning webpage. The profile now only list 1 certificate, while normally I believe is should be 2 or 3. When trying to access the TLS ssid it wants me to install the EAP-termination certificate. Even accepting this I'm unable to connect. It seems previously provisioned devices can still access the TLS SSID.

Anyone else experienced this and have a workaround? No idea if the problem exist in 3.9 as I don't have that available for either installation yet.

Hi, you can email support to ensure you can upgrade to 3.9 at the cusotmer sites.  The release notes note all of the fixed issues and you can find them on the aruba support site at http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6478/Default.aspx

Carlos

The Release Notes for 3.9 doesn't mention the issue I have tho.

I've been in contact with Support which want me to change the configuration from EAP-Termination on the Controller to the Amigopod. So just now waiting for the document to tell me how to do that. Very interesting since EAP-Termination on the Controller was mentioned as a vital part to get this to work in the MDPS documentation.

Hopefully I'll get that done in lab in a couple days and see if that helps solve the issues, before moving on with the customer solution. Then - next step would be 3.9..

John

To those who might also have run into similar problems..

Short version...

Support suggested to add apple.com to walled garden and move EAP-Termination from Controller to Amigopod/Clearpass. I did and it worked. Done!

Now - why this stopped in the first place I have NOOO idea, tho I blame Apple :D . Well - it was reported non-working both in our lab environment and for the customer about the same time IOS5.1.1 was released.... Only trouble with that theory is that a IOS4.3.3 also had the same problems.

Note - it was the same problem on 3.7 as on 3.9, but the same fix solved both versions.

Ok - so this wasn't really solved.

It turns out that once I move EAP-Termination over to Clearpass - then External Authentication servers no longer work. I can only get users that are locally registered on the Clearpass server to validate with the EAP-TLS method.

I want to validate AD users via Radius Proxy (MS NPS), and this works as it should when EAP-Termination is on Controller. Testing AAA Test server from the Controller I get sucess so the normal way things works.

I did try some more and this is parts of what I get:

**
[ocsp] --> Response status: successful
        This Update: Jun 16 23:32:11 2012 GMT
        Next Update: Jun 17 00:32:11 2012 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
 
** I was thinking that OCSP wasn't working, but this above msg tells me it is.
 
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled


**** So the TLS tunnel is establised as it should between Clearpass and the Client

 
++[eap] returns ok
Login OK: [cpguest] (from client Aruba620_Lab port 0 cli 3451C9ABA806)
# Executing section post-auth from file /etc/raddb/radiusd.conf
+- entering group post-auth {...}
[mdps_generic] expand: ^([^:]*):([^:]+):mdps_generic$ -> ^([^:]*):([^:]+):mdps_generic$
mdps_generic: Does not match: User-Name = cpguest
++[mdps_generic] returns ok
rlm_extautz: In postauth
rlm_extautz: extautz_postauth: time-to-connect: |0.000048|
rlm_extautz: extautz_postauth: content-length-time: |0.000060|
rlm_extautz: extautz_postauth: content-send-time: |0.000251|
rlm_extautz: extautz_postauth: Received response with extautz status: 500 Fail includes|0.008169| action|0.054492| total|0.062661|
rlm_extautz: extautz_postauth: Received response pairs:
rlm_extautz: extautz_postauth: round-trip-time: |0.065613|
rlm_extautz: extautz_postauth: External program failed (1)
++[extautz] returns fail
Using Post-Auth-Type Reject

***** So this part tells me that it's unable to validate the user against any of the authentication servers.

Thought I'd add the solution here too - just for info..

When you configure the Amigopod to do EAP-Termination then it's automatically creating a new Authentication server called "Local Certificate Authority". But - the default value for "Authorization Method" is set to "Use the common name of the certificate to match a local user account", and that messed things up.Changing that value to "No authorization - authenticate only" instantly solved my problem.

Why this stopped working in the first place I've stopped contemplating

Thanks again for you time