Security

Reply
New Contributor

Onboard - TLS Issues, User not found

Clearpass VA (ESXi) with Onboarding version 6.6.5.93747

so trying to setup onboarding using a single SSID.. 

 

I have used the wizard to create the necessary services and policies. 

I have then created the necessary networks, CA Server and onboarding profiles. 

 

I have modified the pre-provisioning Enforcement profile to allow me to authenticate to AD for the PEAP portion of the process. 

 

I have then tested this with a windows 10 machine, the peap works fine and i can get to the onboarding page and download the software. I can run the software and get a Certificate installed (under the user's Certificate store) and the computer gets configured to then connect using TLS.

 

But the TLS Authentication fails with the error message

Error Code: 201
Error Category: Authentication failure
Error Message: User not found
 Alerts for this Request  
RADIUS
[Onboard Devices Repository] - localhost: User not found.
[Guest User Repository] - localhost: User not found.
EAP-TLS: Authentication failure, unknown user

 

I have looked under onboard and the user is registered and the device is registered as well.. 

 

What am i missing...

Guru Elite

Re: Onboard - TLS Issues, User not found

Make sure your identity store is added as an authentication source.

 

Also, dual SSID onboarding is recommended in most cases.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Onboard - TLS Issues, User not found

I´ve got this exact issue, did you manage to solve it ?

Daniel F
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Contributor II

Re: Onboard - TLS Issues, User not found

Anyone got any tips ?

My computer I´m testing with doesn´t get connected. Access tracker shows errorcod 201 "User not found"

But I managed to onboard a iphone. Problem is auth. source showes Active Directory instead of Onboard database.

 

Service has auth sources: onboard database, active directory, and a mac-list (in that order)

 

Very strange... 

Daniel F
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Contributor II

Re: Onboard - TLS Issues, User not found

ok, so I managed to get my computer to work also by adding user name strip :/ 

But auth source in access tracker showes AD as source...

But if I revoke the cert i get denied. So is this how it should be by design ? I thought onboard database would show as source. 

 

How does your access tracker look for onboarded devices ?

 

Am I missing something ?

 

Daniel F
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Onboard - TLS Issues, User not found

The only authentication source that should be defined would be your identity store (Active Directory).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Onboard - TLS Issues, User not found

Ok, so devices are actually not authenticated against the onboard database. The certificate is the mechanism controlling the access for them ?

 

So should I need to strip /:user to actually make this work ? Can´t remember having this in there before and it has worked before.

Daniel F
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Guru Elite

Re: Onboard - TLS Issues, User not found

All the certificate does it replace the user password. The user is still authorized against the identity store.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Onboard - TLS Issues, User not found

Great thanks, now I understand the proccess better.

Daniel F
ACMP | ACCP | HP ATP - FlexNetwork Solutions
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: