Security

Dear all,

 

We have Clearpass 6.5 and Aruba controller.

We have set up two SSID for Onboard provisioning and for BYOD connection.

The clients are provisioned in the GUEST SSID, and then thereafter they should connect on the BYOD SSID. After succesful provisioning all attempts to connect to the BYOD net fails and the tracker alert logs states:

 

Error Code:  204
Error Category:  Authentication failure
Error Message:  Failed to classify request to service
Alerts for this Request 
RADIUS Service Categorization failed 
 

Where do I start troubleshooting?

Has anyone got a similar set up and could share how they got it working?

I have tried to search in the archives, but have not found any posts that could be of help?

Most grateful for your feedback.

 

Thanks

 

Peter

 

It means that your 802.1x service is not being triggered. You might not have the correct SSID name in the service or its not created.

Many thaks for your response.

I have this service created, which I thought would do it??

 

Name:  OnBoard-BYOD Onboard Provisioning
Description:  802.1X wireless access service authenticating users prior to device provisioning with Onboard, and after device provisioning is complete
Type:  Aruba 802.1X Wireless
Status:  Enabled
Monitor Mode:  Disabled
More Options:  -
Service Rule Match ALL of the following conditions:
   Type  Name  Operator  Value 
1.  Radius:IETF NAS-Port-Type EQUALS Wireless-802.11 (19)
2.  Radius:IETF Service-Type BELONGS_TO Login-User (1)
3.  Radius:Aruba Aruba-Essid-Name EXISTS  
 

Perhaps someone can spot where I am going wrong?

Many thanks!

 

Peter

Usually, when I'm getting failed service categorizations, I look at the incoming access tracker record and match my service with what is coming in on the RADIUS request. So for instance if the Login-User attribute is not set (which I suspect is what's happening here), I add an attribute that is set in the RADIUS request to your second 'BELONGS-TO' rule. Also, I always set the ESSID to the actual BYOD SSID name then I can be sure incoming requests on that SSID always hit this rule.

Thanks for your response Davey,

 

After followoing your lead, I managed to get the onboard working for iPad client, but WIndows 8.1 client returns following error???

 

Error Code:  215
Error Category:  Authentication failure
Error Message:  TLS session error
 Alerts for this Request 
RADIUS EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error
 

 

Regards Peter

It sounds like your Win8.1 device is trying to AuthN using either machine or user creds is not getting past the first step of trusting the server cert being presented to it by CPPM.  Make sure you have the certificate chain of the server cert installed on the Win8.1 device and you are trusting the server cert if prompted to do so after connecting to the SSID.