Security

Reply
Contributor I

Onboard and ADCS - Client can't connect

Hi:

I’m trying to get Onboard working with ADCS.

 

I’ve followed the instructions in the user guide about setting up Onboard as an Intermediate CA to ADCS. – Created a CSR, retrieved a certificate from ADCS, and installed the chain in Onboard.

 

I’ve also followed the directions in the ADCS Tech note.

Basically, everything works until the very last step.

 

The initial Provisioning with EAP-PEAP, Pre-Auth, Downloading Quickconnect, and Auth all work fine.

After the wireless profile is configured, user hits the button to connect and it eventually times out. A second Provisioning service hit does not appear in Clearpass.

 

A certificate is being issued by ADCS, so all the weblogin setup as the user is working from Clearpass to ADCS. That same certificate appears on Onbaord, and also in the user’s Personal Certificate store.

 

But when I click to connect to the WLAN, I just get an error on the client.

Not see any service hit in Clearpass is confusing to me. Does that mean the client is never sending an EAPOL START?

 

If use this same setup with Onboard as a root CA (no ADCS integration), everything works fine.

 

Thoughts?

 

Thank you.

Contributor I

Re: Onboard and ADCS - Client can't connect

More info:...


Zeke wrote:

Hi:

I’m trying to get Onboard working with ADCS.

 

I’ve followed the instructions in the user guide about setting up Onboard as an Intermediate CA to ADCS. – Created a CSR, retrieved a certificate from ADCS, and installed the chain in Onboard.

 

I’ve also followed the directions in the ADCS Tech note.

Basically, everything works until the very last step.

 

The initial Provisioning with EAP-PEAP, Pre-Auth, Downloading Quickconnect, and Auth all work fine.

After the wireless profile is configured, user hits the button to connect and it eventually times out. A second Provisioning service hit does not appear in Clearpass.

 

A certificate is being issued by ADCS, so all the weblogin setup as the user is working from Clearpass to ADCS. That same certificate appears on Onbaord, and also in the user’s Personal Certificate store.

 

But when I click to connect to the WLAN, I just get an error on the client.

Not see any service hit in Clearpass is confusing to me. Does that mean the client is never sending an EAPOL START?

 

If use this same setup with Onboard as a root CA (no ADCS integration), everything works fine.

 

Thoughts?

 

Thank you.


I discovered the magic of 'show auth-tracebuf' on the Aruba controller.

After running the Quickconnect install, when I try to connect the client, using EAP-TLS, all I see is this rather terse exchange:

station-up
eap-id-req
station-down

 

Keep in mind the exact same controller config works when Clearpass is the root CA.

What could be causing this?

Thank you.

Guru Elite

Re: Onboard and ADCS - Client can't connect

Are you seeing this behavior on multiple platforms?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Onboard and ADCS - Client can't connect

Right now I've only got one test machine that I can fully play with, but I'm hoping to get another one soon.

 

I'm beginning to think the problem must be in the certificate issued from ADCS.

 

What field on the certificate is used as the username when authenticating to CPPM? Is it the CN in the subject field?

A CPPM issued cert has the Subject CN in a format like 'bsmith'.

In the cert that doesn't work, the Subject CN is listed as 'Bob Smith'.

That's never going to work.

 

Guru Elite

Re: Onboard and ADCS - Client can't connect

Try deleting the network profile then manually selecting the certificate when you reconnect.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Onboard and ADCS - Client can't connect

I'm not sure I understand. When I delete the wireless network profile, the device tries to use EAP-MSCHAPv2.

 

Interestly though, I'm now at least seeing timeouts in Clearpass.

For those timed out sessions, the authentication method is showing as just "EAP". So for some reason, the client is not attempting EAP-TLS.

Guru Elite

Re: Onboard and ADCS - Client can't connect

Which EAP methods are enabled in your service and in what order?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Onboard and ADCS - Client can't connect

For those of you eagerly awaiting the next episode of this thread, your wait is over!

I finally got a Windows 10 machine to play with, and was having mixed results. The certificate was not properly installing.

So I decided to download the cert from Clearpass and install it myself.

I still could not connect. In this rare instance, Windows 10 actually provides more information that Windows 7, as it told me that I had no certificate.

So I believe there is something wrong with the certificate being issued from ADCS.

 

That project is temporarily on hold, but I will circle back to this thread when I resume it.

Thank you.

Contributor I

Re: Onboard and ADCS - Client can't connect

For those of you who’ve been hitting refresh on this page for the last 3 months, I’ve finally had time to take another look at this project.

 

I installed certificates using Windows GPO, following Microsoft’s Technet guides, and EAP-TLS now works beautifully. I examined the certificate that installed via GPO, and it had the message “You have a private key that corresponds to this certificate.” This is a good thing.

 

However, certificates that I had manually requested from the ca’s /certsrv website, or via Onboard as an intermediate CA did not have this message.

 

So if your EAP exchange times out, check that your certificate on the device has a corresponding private key!

 

Any ideas why the other certs wouldn’t have the private key? Maybe a certificate template problem in Windows?

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: