Security

I have a master/local setup managing about 200 RAPs which all use the same exact profile from our controller.  We recently upgraded from Cisco ACS to Clearpass for Authentication and I realized that all our hard wired connections were still pointing to ACS (Wireless is working fine).  So we built the services and enforcement policies through CPPM and tested it out successfully.  Last night I repointed the authentication for the hard wired connections from ACS to CPPM and saw it was accepting requests as it should.  This morning however, users started logging on and I noticed several timouts and on the user end, they are recieving the error unauthenticated network.  When I checked the indivicual users on the local controller, they repeatedly stated that the controller was reaching out to the client (the windows computer) for an EAP request with no response back.  This happened with 30-40% of the connections out there even though they all have the same configuration. 

 

It sounds like when I made the change, something broke on the client end, but I don't know what it is.

 

Any thoughts? I was thinking to reboot all of the RAPs along with both of the controllers this evening.  Right now any users have been just switching to wireless as a workaround and if the reboot doesn't work tonight, I'm going to point it back to ACS.

Were the client supplicants reconfigured for the new radius server? (CA if signed by a different one and trusted server names)

Can you please clarify?  (meaning probably not)

Did you export the RADIUS certificate from ACS or does ClearPass have a new one?

If it's a new one, is it signed by the same CA.?

Our ACS was set up to not require certificates at the time.  I know CPPM does require certificates for our Wireless and VPN connections, but the wired connection was set up by Aruba support, so I don't know.  How do I check those settings?

What EAP method are you using for wired?

EAP-PEAP MSCHAPv2

PEAP requires a server certificate.

How are the client's supplicants being configured? Manually or via group policy?

Do you have access to a client to look at the supplicant configuration?

We manage them through Group Policy.  All client machines on the network are configured to not require a cert because they didn't under ACS.

I just noticed that all of my successfuly authentications are only going through MSCHAPv2.

Paul.Saddy,

 

What does your group policy look like that is being pushed to clients?  Under PEAP settings, is "Validate Server Certificate" unchecked?

 

Problem is still ongoing.  I had to repoint the auth back to ACS until I figured out the cause.  The "validate server certificate" is unchecked to all clients through GP.

 

Tuesday I have a Aruba support call and I am going to just have the Clearpass engineer go through all of the ACS and Win 7 client configurations and make sure CPPM is set up the way it should be.  Clearly there is at least one piece missing.

Problem rolls on and on and Aruba can't figure it out.  So here is what we know:

 

1) I have a test profile on the controller that I've tested successfully on a RAP-2, RAP-5 and a RAP-155 throught eh AP specific option. 

 

2) All of our RAPs connect through a DCHP via a DLS/Cable provider through an IPSEC tunnel and terminate to a local controller at our data center, but we also have a master at the same location.

 

3) of the three successful devices, I have tested via my account (admin), the same service account that we use in the field, and a test user account.  All three users authenticated through clearpass on my laptop

 

4) Last night I found a WIn 7 user out in the field connected to a RAP 5 as well as a device utilizing the same service account I tested which also runs on Windows 7.  I went into the controller under AP Specific and used the same test profile I used in #1 above which repointed their RAP interfaces from ACS to CPPM and sure enough, those two users timed out with the error unable to complete the EAP transaction.  Same problem where the Windows 7 client does not respond back to CPPM during the EAP request but it responds to ACS fine.

 

5)  Right now CPPM is only handling the RADUIS requests.

 

6)  There is absolutely nothing different in the controller about the profile that handles ACS and the one that handles CPPM except for the servers they point to.

 

Whoever can figure this out gets major Kudos for what its worth!!

We have even less information than TAC does, so we are less likely to help.  In addition, we have not received answers about crucial questions about your server certificates, and we think that is where the problem exists.

I did answer those questions.  It's been listed above for the past few weeks.  But here it is again:

 

The "validate server certificate" is unchecked to all clients through GP.

Even if that is unchecked, it requires user intervention to accept the new certificate. I would try to manually configure a client and see if there are any popups on the client.

Do you have some more information on this?  It's been a while since I have recieved one from out in the field, but the the failed users would just get a LAN connection error of "unable to authenticate (or authorize) to network)."  No pop up.  But if there's a new certificate needed, we could easily push out out any needed settings through GP or test it.

paul.saddy,

 

Please continue to work with TAC.  We cannot get enough private information here on this forum to understand what is going on.

 

You mention that your clients only started having the problem when your clients were pointed from your ACS server to your Aruba controller.  When a client is connected and in the user table, it will continue to authenticate to the radius server that it first authenticated to, even if the radius servers in the server group are changed.   That would mean that only new clients that attached would have problems with the Aruba controller...  That is only a guess, but only TAC would have access to your detailed configuration and logs to truly understand what is going on.  Your radius server certificates also would need to be examined, because even though "Validate Server Certificate" is disabled, both radius server certificates need to exist for 802.1x to occur successfully.  I would switch my clients back to the ACS temporarily until TAC can get to the bottom of why this is happening in the first place.  

 

If you feel you are not making progress, you can ask to have the case escalated.  We likely will not be able to make progress on this forum by guessing what your issue is.  Please keep us informed if you make any progress with TAC.