Security

Reply
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Onboard provisioning can not be performed at this host address - Error

Hello All,

 

We had setup Onboard Provisioning on CPPM 6.0.2 a few weeks back and this was working just fine. However, please note that we are not utilizing a Commercial Certificate. We are instead utuilizing Microsoft Active Directory as a Root CA as we are only Onboarding Windows PCs that are members of the Domain in Active Directory.

 

However, when we upgraded to CPPM 6.1.0 a few days back, Onboarding stopped working. At anytime we attempt to connect to the SSID created for Onboarding, we get a redirect (designed this way) to a Web Page using HTTPs and then we now get the error launched on the Web Page saying "Onboard provisioning can not be performed at this host address".

 

However, if we modify CPPM by unchecking the option to use HTTPs, we get the Web Login page come up just fine. 

 

Don't know what could be wrong at this point. This was working just fine before we upgraded.

 

Any ideas anyone?

 

 

Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: Onboard provisioning can not be performed at this host address - Error

[ Edited ]

Were you able to figure this out?

I am having the exact same issue.

 

I have a test CPPM VM setup running version 6.1.0.24441

I setup a test device provisioning page.

I have uploaded our commerical cert as the CPPM server certificate.

 

Under ClearPass Onboard > Onboard > Provisioning Settings >

 When I click on "Test" on the test Provisioning Settings profile I setup I get

"Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."


I did what eosuorah suggested and disabled the HTTPS requirement and it allows me to access the page.

Is there something I am missing?

 

I don't recall encountering this issue under 6.0.2.x

 


This is from the Application Log:

Client:    192.168.15.254:60945
Script:    /guest/device_provisioning2.php
Function:  
Arguments: array (
  'error' => 1,
  'message' => 'Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator.',
  'disable_login' => true,
)
Details:   array (
  'host' => 'cppm.testserver.com',
  'common_name' => '*.testserver.com',
Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Onboard provisioning can not be performed at this host address - Error

Hi Bourne,

 

Now I'm a bit concerned based on your response below. I haven't installed a Commercial Certificate as of yet.

 

I intend to do that in a few weeks. But it seems, you installed a Commercial Certificate and you are still having the issue.

 

Now, that's definitely a concern if the Commercial Certificate doesn't resolve the issue. I was told by Aruba that a Commercial SSL Certificate should fix this problem.

 

 

 

 

bourne wrote:

Were you able to figure this out?

I am having the exact same issue.

 

I have a test CPPM VM setup running version 6.1.0.24441

I setup a test device provisioning page.

I have uploaded our commerical cert as the CPPM server certificate.

 

Under ClearPass Onboard > Onboard > Provisioning Settings >

 When I click on "Test" on the test Provisioning Settings profile I setup I get

"Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator."


I did what eosuorah suggested and disabled the HTTPS requirement and it allows me to access the page.

Is there something I am missing?

 

I don't recall encountering this issue under 6.0.2.x

 


This is from the Application Log:

Client:    192.168.15.254:60945
Script:    /guest/device_provisioning2.php
Function:  
Arguments: array (
  'error' => 1,
  'message' => 'Onboard provisioning can not be performed at this host address. If you were redirected here, please contact a network administrator.',
  'disable_login' => true,
)
Details:   array (
  'host' => 'cppm.testserver.com',
  'common_name' => '*.testserver.com',

 

Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: Onboard provisioning can not be performed at this host address - Error

Hey eosuorah,

 

So you did talk with Aruba directly about this issue?

I was thinking about calling them as well because I stumped on this issue.

 

We have installed a commercial cert as I mentioned. It is a Go Daddy cert with Unlimited Sub domains.

 

I suspect that perhaps from the ClearPass Onboarding side of things the certificate is messed up somehow.

 

There must be something wrong with the config though because I have seen other posts related to Onboarding under 6.1.0.x and no one else has reported this issue. 

 

Based on the technotes and looking at the interface the Onboarding portion of the CPPM underwent a major overhaul.

 

Hopefully someone can shed some light on this. Are you still working with the option for HTTPS turned off?

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Onboard provisioning can not be performed at this host address - Error

At this point, the CPPM is not in production as of yet.

 

And yes I actually do have a Ticket opened with Aruba on this issue. However, I am waiting on the Customer in order to load the Commercial Certificate. And we are looking at using GoDaddy as well.

 

I was told that security was beefed up on CPPM Version 6.1. Didn't have this issue on Version 6.0.1 and yet, I was using Microsoft Active Directory as the Certificate Authority.

 

Please keep me updated on your outcome if you get it to work. I will also keep you posted too.

 

This is quite strange though.

Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: Onboard provisioning can not be performed at this host address - Error

[ Edited ]

Oh that is good it isn't in production!

 

I definitely believe that security was beefed up. I was pretty shocked the first time I looked at the Onboarding section in the new version of CPPM.

 

Go Daddy should work well. I had it setup in a test environment under CPPM version 6.0.1 and it worked like c hamp. Solved all the issues we were having with Onboarding Apple devices when the require HTTPS option is enabled.

 

And yeah I haven't had any issues either with Onboarding under any of the previous version. Even under 3.9 CP Guest & Onboard.

 

I will keep you posted though if I find something.

And if you hear back on your ticket that would be awesome if you could pass along the information

 

Thank you!

 

Cheers

 

================================

 

Sorry one other question.

Under ClearPass Onboard > Onboard > Provisioning Settings

 If you click one of the profiles (sorry not sure what else to call them) there is an option to click "Test" to test the weblogin page.

I was curious what the resulting URL is?

 

For me it does something weird when "Require HTTPS" is enabled. Instead of filling in the name of the cppm or the ip address it simply puts a *

  Something like this: http://*.domainname.com/onboard/device_provisioning2.php

 

I'm assuming it is doing this because of the how our commerical cert is setup?

If I replace the * with the name of the CPPM that is when I receive the error mentioned previously.

 

If the option for "Require HTTPS" is off then the IP of the CPPM Management port is filled in where the star was. Which is similar behavior to version 6.0.2 

 

I doubt it matters but I just thought I would mention it and ask about it.

 

Regular Contributor II
Posts: 232
Registered: ‎03-14-2012

Re: Onboard provisioning can not be performed at this host address - Error

Actually when I hit the "Test" button, I don't get that "*" you seem to notice. I get the full error message.

 

However, i haven't loaded any commercial certificates as of yet. So maybe that's why.

 

I will for sure keep you posted.

Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: Onboard provisioning can not be performed at this host address - Error

Thanks for checking!

 

Will keep you posted as well. Going through the release notes now for 6.1.0 to see if there is something that stands out.

 

Cheers

Aruba
Posts: 1,534
Registered: ‎06-12-2012

Re: Onboard provisioning can not be performed at this host address - Error

In 6.1 we do a full name comparison on the certificate and if you have either an IP or a FQDN and they don't match what CPPM expects you will get the error. If you install a commercial cert you will not get that error unless the name format does not match.

 

example: Onboard: cplab.clearpassdemo.com

                 Cert:        cplab.clearpassdemo.com   ----GOOD

 

                 OnBoard: cplab.clearpassdemo.com

                 Cert:          CPlab.clearpassdemo.com -----BAD

 

                 OnBoard: cplab.clearpassdemo.com

                 Cert:          cplab.clearpassdemo.com:8081 -----BAD

 

In the patch coming out in the next couple weeks will allow you to use different capitalizations or add a port for NATing. 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 372
Registered: ‎09-05-2012

Re: Onboard provisioning can not be performed at this host address - Error

[ Edited ]

Hi,

 

Our commercial cert supports multiple sub domains.

So our cert when it gets installed shows as *.ourdomain.com

 

On my test CPPM under Onboard I setup a new Root CA for testing. Is it the common name of the certs it is checking?

 

Is there a log that we can check that will show this?

 

Sorry I am having a bit of a hard time wrapping my head around what exactly is causing the issue

 

===========================================

 

Okay I just confirmed it.

I redid the certificate on the Policy Manager. I set the CN to equal that of the hostname of the server as well the DNS name we are using. I can now get the Onboard page using HTTPS.

 

So Aruba is no longer supporting commercial certs that are setup for multiple subdomains? i.e. *.ourdomain.com?

 

This is definitely going to be a problem for us!

Search Airheads
Showing results for 
Search instead for 
Did you mean: