10-12-2016 11:23 AM
I came in this morning and checked the CPPM and saw that all the smartdevices at one of our branch offices are experiencing issues connecting. All our laptops and desktops that are wireless are still connecting okay. They use EAP-PEAP and EAP-MSCHAPv2 to authenticate.
The smartdevices have already been Onboarded and are throwing out the following errors:
Alerts for this Request RADIUS Invalid Status times in OCSP response EAP-TLS: fatal alert by server - certificate_unknown eap-tls: Error in establishing TLS session
The branch office in question has a subscriber CPPM that all the radius requests go to. None of our other offices appear to be experiencing this issue.
Any ideas what might be causing this?
Because the error mentions "Status times", I checked the time on both the controller and subscriber CPPM and verified that the time on these devices is correct.
I also did a "show auth-tracebuf mac ..." on a device exhibiting the behavior. From the log I am seeing:
- dot1x-timeout -> server timeout
- dot1x-timeout -> station timeout
I am also seeing the rad-reject and eap-failure messages. Not sure if this will help to diagnose what is causing this behavior.
10-13-2016 04:22 AM
I would doublecheck the clock on all ClearPass publishers and subscribers.
From the logs, it seems an issue with OCSP. Please check the OCSP URL that is in your Onboard CA (Check details of the CA):
Is the URL posted there accessible from the subscriber?
In the case that you only use Onboard certificates you can override the URL in the TLS Authentication Method:
In the URL make sure it starts with http://127.0.0.1; you cannot see that in the screenshot because it scrolled.
Best practice in Onboard is that you set the OCSP URL to the local system (127.0.0.1) to avoid network dependencies during validation.
If it is setup like this, and clocks are in sync, please contact Aruba TAC as I think it is unlikely that it can be answered on the forum with the available information.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
10-13-2016 08:37 AM
Thank you for your reply.
I double checked the time on all of the publishers and subscribers.
I noticed that the subscriber that is having issues is actually off by about 5 minutes. I checked the NTP settings and they are the same on all 3 of our servers. Is there a way that I can force the subscriber to contact the configured NTP servers to update the time?
As for the configured URL, when I originally setup the Onboard CA in the CPPM I hardcoded the OCSP URL into the certiciate. At the time, I didn't know about the OCSP URL override.
Today, I modifed the EAP-TLS auth method for the service that is hanlding the requests for the subscriber that is having issues. I modified it as you have it the screenshot. The smartdevices are now able to authenticate correctly.
I am a little confused though as to what the actual issue is. Does this indicate that there is a communication issue between the publisher and the problematic subscriber? Or is the time difference between the publisher and subscriber?