Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboarded Devices experiencing issues connecting

This thread has been viewed 4 times

  • 1.  Onboarded Devices experiencing issues connecting

    Posted Oct 12, 2016 02:24 PM

    Hi,

     

    I came in this morning and checked the CPPM and saw that all the smartdevices at one of our branch offices are experiencing issues connecting. All our laptops and desktops that are wireless are still connecting okay. They use EAP-PEAP and EAP-MSCHAPv2 to authenticate.

     

    The smartdevices have already been Onboarded and are throwing out the following errors:

    Alerts for this Request  
RADIUS	Invalid Status times in OCSP response
EAP-TLS: fatal alert by server - certificate_unknown
eap-tls: Error in establishing TLS session

    The branch office in question has a subscriber CPPM that all the radius requests go to. None of our other offices appear to be experiencing this issue.

     

    Any ideas what might be causing this?

    Because the error mentions "Status times", I checked the time on both the controller and subscriber CPPM and verified that the time on these devices is correct.

     

    I also did a "show auth-tracebuf mac ..." on a device exhibiting the behavior. From the log I am seeing:

    • dot1x-timeout -> server timeout
    • dot1x-timeout -> station timeout

    I am also seeing the rad-reject and eap-failure messages. Not sure if this will help to diagnose what is causing this behavior.

     

    Cheers



  • 2.  RE: Onboarded Devices experiencing issues connecting

    EMPLOYEE
    Posted Oct 13, 2016 07:23 AM

    I would doublecheck the clock on all ClearPass publishers and subscribers.

     

    From the logs, it seems an issue with OCSP. Please check the OCSP URL that is in your Onboard CA (Check details of the CA):

    2016-10-13 13_09_28-Certificate Authorities.png

     

    Is the URL posted there accessible from the subscriber?

    In the case that you only use Onboard certificates you can override the URL in the TLS Authentication Method:

    2016-10-13 13_12_21-ClearPass Policy Manager - Aruba Networks.png

    In the URL make sure it starts with http://127.0.0.1; you cannot see that in the screenshot because it scrolled.

     

    Best practice in Onboard is that you set the OCSP URL to the local system (127.0.0.1) to avoid network dependencies during validation.

     

    If it is setup like this, and clocks are in sync, please contact Aruba TAC as I think it is unlikely that it can be answered on the forum with the available information.

     



  • 3.  RE: Onboarded Devices experiencing issues connecting

    Posted Oct 13, 2016 11:38 AM

    Thank you for your reply.

    I double checked the time on all of the publishers and subscribers.

     

    I noticed that the subscriber that is having issues is actually off by about 5 minutes. I checked the NTP settings and they are the same on all 3 of our servers. Is there a way that I can force the subscriber to contact the configured NTP servers to update the time?

     

    As for the configured URL, when I originally setup the Onboard CA in the CPPM I hardcoded the OCSP URL into the certiciate. At the time, I didn't know about the OCSP URL override.

    Today, I modifed the EAP-TLS auth method for the service that is hanlding the requests for the subscriber that is having issues. I modified it as you have it the screenshot. The smartdevices are now able to authenticate correctly.

     

    I am a little confused though as to what the actual issue is. Does this indicate that there is a communication issue between the publisher and the problematic subscriber? Or is the time difference between the publisher and subscriber?