Security

Reply
MVP

Did IOS 5.1.1 break MDPS in Amigopod 3.7?

Hello!

Have two installations with Amigopod 3.7 and IOS device provisioning, which both decided to stop working for clients following the recent IOS upgrade to 5.1.1.

 

Symptom: Registration push the profile and certificate to the IOS device, but doesn't show the completed part on the provisioning webpage. The profile now only list 1 certificate, while normally I believe is should be 2 or 3. When trying to access the TLS ssid it wants me to install the EAP-termination certificate. Even accepting this I'm unable to connect. It seems previously provisioned devices can still access the TLS SSID.

 

Anyone else experienced this and have a workaround? No idea if the problem exist in 3.9 as I don't have that available for either installation yet.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Moderator

Re: Did IOS 5.1.1 break MDPS in Amigopod 3.7?

Hi, you can email support to ensure you can upgrade to 3.9 at the cusotmer sites.  The release notes note all of the fixed issues and you can find them on the aruba support site at http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/EntryId/6478/Default.aspx

 

Carlos

MVP

Re: Did IOS 5.1.1 break MDPS in Amigopod 3.7?

 

The Release Notes for 3.9 doesn't mention the issue I have tho.

 

I've been in contact with Support which want me to change the configuration from EAP-Termination on the Controller to the Amigopod. So just now waiting for the document to tell me how to do that. Very interesting since EAP-Termination on the Controller was mentioned as a vital part to get this to work in the MDPS documentation.

 

Hopefully I'll get that done in lab in a couple days and see if that helps solve the issues, before moving on with the customer solution. Then - next step would be 3.9..

 

John


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Did IOS 5.1.1 break MDPS in Amigopod 3.7?

 

To those who might also have run into similar problems..

 

Short version...

Support suggested to add apple.com to walled garden and move EAP-Termination from Controller to Amigopod/Clearpass. I did and it worked. Done!

 

Now - why this stopped in the first place I have NOOO idea, tho I blame Apple :D . Well - it was reported non-working both in our lab environment and for the customer about the same time IOS5.1.1 was released.... Only trouble with that theory is that a IOS4.3.3 also had the same problems.

 

Note - it was the same problem on 3.7 as on 3.9, but the same fix solved both versions.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Did IOS 5.1.1 break MDPS in Amigopod 3.7?

 

Ok - so this wasn't really solved.

 

It turns out that once I move EAP-Termination over to Clearpass - then External Authentication servers no longer work. I can only get users that are locally registered on the Clearpass server to validate with the EAP-TLS method.

 

I want to validate AD users via Radius Proxy (MS NPS), and this works as it should when EAP-Termination is on Controller. Testing AAA Test server from the Controller I get sucess so the normal way things works.

 

I did try some more and this is parts of what I get:

 

**
[ocsp] --> Response status: successful
        This Update: Jun 16 23:32:11 2012 GMT
        Next Update: Jun 17 00:32:11 2012 GMT
[oscp] --> Cert status: good
[ocsp] --> Certificate is valid!
 
** I was thinking that OCSP wasn't working, but this above msg tells me it is.
 
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled


**** So the TLS tunnel is establised as it should between Clearpass and the Client

 
++[eap] returns ok
Login OK: [cpguest] (from client Aruba620_Lab port 0 cli 3451C9ABA806)
# Executing section post-auth from file /etc/raddb/radiusd.conf
+- entering group post-auth {...}
[mdps_generic] expand: ^([^:]*):([^:]+):mdps_generic$ -> ^([^:]*):([^:]+):mdps_generic$
mdps_generic: Does not match: User-Name = cpguest
++[mdps_generic] returns ok
rlm_extautz: In postauth
rlm_extautz: extautz_postauth: time-to-connect: |0.000048|
rlm_extautz: extautz_postauth: content-length-time: |0.000060|
rlm_extautz: extautz_postauth: content-send-time: |0.000251|
rlm_extautz: extautz_postauth: Received response with extautz status: 500 Fail includes|0.008169| action|0.054492| total|0.062661|
rlm_extautz: extautz_postauth: Received response pairs:
rlm_extautz: extautz_postauth: round-trip-time: |0.065613|
rlm_extautz: extautz_postauth: External program failed (1)
++[extautz] returns fail
Using Post-Auth-Type Reject

***** So this part tells me that it's unable to validate the user against any of the authentication servers.

 

I have an ongoing case with Support so I'll let you know what we find out. If you do have any tips on things to try then please - let me know since the support is slow going, and customer is not so patient ;)

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Did IOS 5.1.1 break MDPS in Amigopod 3.7?

Thought I'd add the solution here too - just for info..

 

When you configure the Amigopod to do EAP-Termination then it's automatically creating a new Authentication server called "Local Certificate Authority". But - the default value for "Authorization Method" is set to "Use the common name of the certificate to match a local user account", and that messed things up.Changing that value to "No authorization - authenticate only" instantly solved my problem.

 

Why this stopped working in the first place I've stopped contemplating

 

Thanks again for you time

.. John

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: