Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎05-01-2017

Onboard and ADCS - Client can't connect

Hi:

I’m trying to get Onboard working with ADCS.

 

I’ve followed the instructions in the user guide about setting up Onboard as an Intermediate CA to ADCS. – Created a CSR, retrieved a certificate from ADCS, and installed the chain in Onboard.

 

I’ve also followed the directions in the ADCS Tech note.

Basically, everything works until the very last step.

 

The initial Provisioning with EAP-PEAP, Pre-Auth, Downloading Quickconnect, and Auth all work fine.

After the wireless profile is configured, user hits the button to connect and it eventually times out. A second Provisioning service hit does not appear in Clearpass.

 

A certificate is being issued by ADCS, so all the weblogin setup as the user is working from Clearpass to ADCS. That same certificate appears on Onbaord, and also in the user’s Personal Certificate store.

 

But when I click to connect to the WLAN, I just get an error on the client.

Not see any service hit in Clearpass is confusing to me. Does that mean the client is never sending an EAPOL START?

 

If use this same setup with Onboard as a root CA (no ADCS integration), everything works fine.

 

Thoughts?

 

Thank you.

Occasional Contributor II
Posts: 19
Registered: ‎05-01-2017

Re: Onboard and ADCS - Client can't connect

More info:...


Zeke wrote:

Hi:

I’m trying to get Onboard working with ADCS.

 

I’ve followed the instructions in the user guide about setting up Onboard as an Intermediate CA to ADCS. – Created a CSR, retrieved a certificate from ADCS, and installed the chain in Onboard.

 

I’ve also followed the directions in the ADCS Tech note.

Basically, everything works until the very last step.

 

The initial Provisioning with EAP-PEAP, Pre-Auth, Downloading Quickconnect, and Auth all work fine.

After the wireless profile is configured, user hits the button to connect and it eventually times out. A second Provisioning service hit does not appear in Clearpass.

 

A certificate is being issued by ADCS, so all the weblogin setup as the user is working from Clearpass to ADCS. That same certificate appears on Onbaord, and also in the user’s Personal Certificate store.

 

But when I click to connect to the WLAN, I just get an error on the client.

Not see any service hit in Clearpass is confusing to me. Does that mean the client is never sending an EAPOL START?

 

If use this same setup with Onboard as a root CA (no ADCS integration), everything works fine.

 

Thoughts?

 

Thank you.


I discovered the magic of 'show auth-tracebuf' on the Aruba controller.

After running the Quickconnect install, when I try to connect the client, using EAP-TLS, all I see is this rather terse exchange:

station-up
eap-id-req
station-down

 

Keep in mind the exact same controller config works when Clearpass is the root CA.

What could be causing this?

Thank you.

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Onboard and ADCS - Client can't connect

Are you seeing this behavior on multiple platforms?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎05-01-2017

Re: Onboard and ADCS - Client can't connect

[ Edited ]

Right now I've only got one test machine that I can fully play with, but I'm hoping to get another one soon.

 

I'm beginning to think the problem must be in the certificate issued from ADCS.

 

What field on the certificate is used as the username when authenticating to CPPM? Is it the CN in the subject field?

A CPPM issued cert has the Subject CN in a format like 'bsmith'.

In the cert that doesn't work, the Subject CN is listed as 'Bob Smith'.

That's never going to work.

 

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Onboard and ADCS - Client can't connect

Try deleting the network profile then manually selecting the certificate when you reconnect.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎05-01-2017

Re: Onboard and ADCS - Client can't connect

I'm not sure I understand. When I delete the wireless network profile, the device tries to use EAP-MSCHAPv2.

 

Interestly though, I'm now at least seeing timeouts in Clearpass.

For those timed out sessions, the authentication method is showing as just "EAP". So for some reason, the client is not attempting EAP-TLS.

Guru Elite
Posts: 8,798
Registered: ‎09-08-2010

Re: Onboard and ADCS - Client can't connect

Which EAP methods are enabled in your service and in what order?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎05-01-2017

Re: Onboard and ADCS - Client can't connect

For those of you eagerly awaiting the next episode of this thread, your wait is over!

I finally got a Windows 10 machine to play with, and was having mixed results. The certificate was not properly installing.

So I decided to download the cert from Clearpass and install it myself.

I still could not connect. In this rare instance, Windows 10 actually provides more information that Windows 7, as it told me that I had no certificate.

So I believe there is something wrong with the certificate being issued from ADCS.

 

That project is temporarily on hold, but I will circle back to this thread when I resume it.

Thank you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: