Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard - MDPS design/setup help needed! (for iPad's)

This thread has been viewed 0 times

  • 1.  Onboard - MDPS design/setup help needed! (for iPad's)

    Posted Aug 24, 2012 10:50 AM

    Hi, 

     

    Hopefully someone can help me out!

     

    I have been working on setting up iPad provisioning using Onboard and have had no luck as of yet. 

     

    What I have set up is what is demoed:

     

    connect to provisioning SSID

    install root cert

    authenticate to AD

    install profile

    connect to provisioned SSID (different)

     

    The issue is that when the iPad connects to the provisioned SSID it waits a while then says "unable to join XXXX" 

     

    On the provisioned SSID we have the radius pointing to a NPS server which has the root cert for our CA and even Onboard (tired both ways: onboard subCA and onboard own CA)

     

    The access deny message on the NPS servers says that "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider." (we get this using both CA modes)

     

    I believe it has something to do with the OCSP URL and have read over this airhead post:

    http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Problems-with-MDPS-any-updated-complete-tech-docs-yet/m-p/25464/highlight/true#M186

     

    From the Onboard documentation it says we need to configure our auth server to use OCSP to check the revocation staus of a client certificate.

     

    I guess then, How do I do this??

     

    The client certs have the ocsp url in them and i added them to the onboard subCA cert (and onboard CA cert) that we have on the NPS server but no go.

     

    I clearly am missing a step....

     

    Thanks!

     

     

     

     



  • 2.  RE: Onboard - MDPS design/setup help needed! (for iPad's)

    EMPLOYEE
    Posted Aug 24, 2012 09:04 PM

    When onboarded, the certificates are created in the ClearPass Onboad Environment, and The controller should Authenticate to the ClearPass Onboard Server as a Radius Server to Validatate the Credentials of the Onboarded Devices:

     

    - Configure the ClearPass Onboard Server as a Radius Server in the Controller

    - Run the LAN/WLAN Wizard to Stand Up the Onboarded WPA2-AES SSID, choosing the existing ClearPass Onboard Server in the controller as the Radius Server.

     

    On the Onboard Server:

    - Configure the Controller as a NAS device in the ClearPass Onboard Server under Radius> Network Authentication Servers

    - Have the Onboard Server's Radius Server Request a Server Certificate By going to 

    Radius> Authentication> EAP and 802.1x> Create Server Certificate> Request a Certificate from Another Certificate authority. Fill out the server information and get the CSR File.

    Take that file to the Onboard CA (Onboard> Certificate Management> Upload a Certificate Signing Request). When the TLS Server Certificate is Created, go to the TLS-server Certificate and Click on Export Certificate.

    Take that file and Apply it to the Onboard Server's Radius Server by going to Radius> Authentication> EAP and 802.1x> Import Server Certificate. When that is done, go back to Radius> Authentication> EAP and 802.1x> EAP Configuration and make sure EAP-MSCHAPv2, EAP-TLS and PEAP are checked. To get it working, you can disable Certificate Certificate Revocation Checks, for now.

     

    You will need to restart the Onboard Radius Server before doing anything.

     

    See if you can associate an onboarded client to the SSID.

     

    For troubleshooting, go to Radius> Server Control> Debug Radius Server.