Security

Reply
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Issues with Onboarding TLS devices

HI All,

 

I'm have a CPPM 6.2 installation currently working nicely just doing 802.1x with PEAP-MSCHAPv2 authentication against AD.

 

The server has a public certificate installed for terminating the Radius (Entrust).

 

I'd like to try and get a small group of devices onboarded and i think i've got the setup fairly close to right, i am using a self signed internal CA and have setup the provisioning profiles to connect using TLS.

 

The issue i'm having is when i try and onboard a Windows device, it successfully onboards however when it switches over to the TLS authentication afterwards, it fails to logon with the following error in the access tracker. Anybody got any ideas where to start here?

 

My assumption is that the TLS authentication should be checked against the onboard repository and not the AD server?

 

RADIUS

[Onboard Devices Repository] - localhost: User not found. EAP-TLS:  fatal alert by client -  access_denied

Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: Issues with Onboarding TLS devices

further to that, if it turn of certificate validation on the client it appears to work ok.

 

I am using the auto trust settings in the wireless profile on the Onboard configuration.

Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Issues with Onboarding TLS devices


 

RADIUS

[Onboard Devices Repository] - localhost: User not found. EAP-TLS:  fatal alert by client -  access_denied


The section that says fatal alert by client means the client dosent trust the server. Make sure you combine the Root/Intermediate/server cert.

 

If you need to add them in the trusted server list in the network settings.

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Issues with Onboarding TLS devices

Here is an example of my cert.

 

screenshot_04 Dec. 01 22.22.gif

 

And If you want to push out the root separate then you can add it to the network settings. In my example I have GoDaddy UCC cert that is signed by starfield and Im pushing the root cert to the client. 

 

screenshot_05 Dec. 01 22.30.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 349
Registered: ‎02-22-2011

Re: Issues with Onboarding TLS devices

thanks Troy, you've saved me again!

 

I added the server name and root CA's manually into the trust settings and it works a treat!

 

Any idea why the auto trust doesn't do this for you?

 

Scott

Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Issues with Onboarding TLS devices

[ Edited ]

It comes down to how you import the cert. If you Import just the cert, or if the chain isn't put into the cert correctly then you will run into that issue.

 

When you use the auto select it pulls the cert from the CPPM cert.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: