Security

Reply
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Onboarded Devices experiencing issues connecting

Hi,

 

I came in this morning and checked the CPPM and saw that all the smartdevices at one of our branch offices are experiencing issues connecting. All our laptops and desktops that are wireless are still connecting okay. They use EAP-PEAP and EAP-MSCHAPv2 to authenticate.

 

The smartdevices have already been Onboarded and are throwing out the following errors:

Alerts for this Request  
RADIUS	Invalid Status times in OCSP response
EAP-TLS: fatal alert by server - certificate_unknown
eap-tls: Error in establishing TLS session

The branch office in question has a subscriber CPPM that all the radius requests go to. None of our other offices appear to be experiencing this issue.

 

Any ideas what might be causing this?

Because the error mentions "Status times", I checked the time on both the controller and subscriber CPPM and verified that the time on these devices is correct.

 

I also did a "show auth-tracebuf mac ..." on a device exhibiting the behavior. From the log I am seeing:

  • dot1x-timeout -> server timeout
  • dot1x-timeout -> station timeout

I am also seeing the rad-reject and eap-failure messages. Not sure if this will help to diagnose what is causing this behavior.

 

Cheers

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Onboarded Devices experiencing issues connecting

I would doublecheck the clock on all ClearPass publishers and subscribers.

 

From the logs, it seems an issue with OCSP. Please check the OCSP URL that is in your Onboard CA (Check details of the CA):

2016-10-13 13_09_28-Certificate Authorities.png

 

Is the URL posted there accessible from the subscriber?

In the case that you only use Onboard certificates you can override the URL in the TLS Authentication Method:

2016-10-13 13_12_21-ClearPass Policy Manager - Aruba Networks.png

In the URL make sure it starts with http://127.0.0.1; you cannot see that in the screenshot because it scrolled.

 

Best practice in Onboard is that you set the OCSP URL to the local system (127.0.0.1) to avoid network dependencies during validation.

 

If it is setup like this, and clocks are in sync, please contact Aruba TAC as I think it is unlikely that it can be answered on the forum with the available information.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Super Contributor II
Posts: 390
Registered: ‎09-05-2012

Re: Onboarded Devices experiencing issues connecting

Thank you for your reply.

I double checked the time on all of the publishers and subscribers.

 

I noticed that the subscriber that is having issues is actually off by about 5 minutes. I checked the NTP settings and they are the same on all 3 of our servers. Is there a way that I can force the subscriber to contact the configured NTP servers to update the time?

 

As for the configured URL, when I originally setup the Onboard CA in the CPPM I hardcoded the OCSP URL into the certiciate. At the time, I didn't know about the OCSP URL override.

Today, I modifed the EAP-TLS auth method for the service that is hanlding the requests for the subscriber that is having issues. I modified it as you have it the screenshot. The smartdevices are now able to authenticate correctly.

 

I am a little confused though as to what the actual issue is. Does this indicate that there is a communication issue between the publisher and the problematic subscriber? Or is the time difference between the publisher and subscriber?

Search Airheads
Showing results for 
Search instead for 
Did you mean: