Security

Reply

Onboarded iOS devices not using onboard repository

Hi All,

 

Another clearpass question from me...

 

I've got onoboarding setup and tested it using iPads and android devices. Both android and iPad devices go through the onboarding process and reconnect and gain entwork access, however the iPads don't appear to be using the onboard repository.

 

When an onboarded android authenticates you can see the user in the format <ad username>:#:mdps_generic. I can see in the access tracker that it's authentication source is [Onboard Devices Repository] and if I delete the device from the onboard device list, I'm promoted the re-onboard.

 

Now here's the issue. When I connect my ipad after onboarding I get the following in the access tracker:

 

Service:
cppm-onboard Onboard Provisioning
Authentication Method:
EAP-TLS
Authentication Source:
AD:domaincontroller.domain.local
Authorization Source:
RAS AD
Roles:
[Employee], [User Authenticated]
Enforcement Profiles:
[Allow Access Profile], cppm-onboard Onboard Post-Provisioning
Service Monitor Mode:
Disabled

 

If I delete the onboarded iPad device, the iPad can still connect.

 

I seem to have provisioned the device against AD rather than against the onboarded device repository. Not sure how. :smileyfrustrated:

 

Can someone point me in the right direction?

 

Thanks

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba

Re: Onboarded iOS devices not using onboard repository

The iPad is authenticating with a certificate (EAP-TLS) rather than a unique username and password like the Android onboarding process.   Despite it showing AD as the authentication source, the certificate is on CPPM.   Where do you delete the onboarded iPad device?

 

Also, check how your EAP-TLS authentication method is setup?    Is it using OCSP to verify whether the cert is valid?   If it is, it should detect a deleted/revoked certificate and not allow access.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Onboarded iOS devices not using onboard repository

I was expecting to see all onboarded devices authenticate and show in the access tracker as "<username>:#:mdps_generic".


I was looking in the onboard devcie section under identity on CPPM, that's where I deleted the device. That makes no difference for an IOS device.

 

Have had a dig around and can see the certificate on the Onboard + Workspace section.


Thanks Clembo. 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba

Re: Onboarded iOS devices not using onboard repository

I've had customers say/do the same thing.   The common name of the certificate issued to the clients is based on the username entered in the onboarding process (usually their AD name).   The mdps_generic name given to Android's does not follow that same behavior, thus the difference seen in Access Tracker.  

 

If you delete revoke/delete the certificate, it should remove the device from the Onboard Device list.   

 

You could also make the presence in the Onboard Devices repository a condition of yoru role assignments, that way if it is deleted there (but not within the CA), you can still controll access.   

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Onboarded iOS devices not using onboard repository

Gotcha. Thanks for the info Clembo.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II

Re: Onboarded iOS devices not using onboard repository

Hey,

 

I am seeing similar behavior.

 

I was messing around with the service templates. I wanted to compare what they generated to what we are using. That is when I noticed that the '[Onboard Devices Repository]' was being used as the 'Authentication Source' in the Enforcement Policy.

 

I then went and checked authentication requests coming in from already Onboard devices and noticed that none of them are reporting the '[Onboard Devices Repository]' as the authentication source. I was even able to remove '[Onboard Devices Repository]' from the authentication tab of the service and everything kept functioning.

 

If I delete/revoke the certificate the device will not be able to authenticate.

This includes both Android and Apple devices.

 

What you decscribe Clembo makes sense.

 

I should have been paying closer attention!

 

Is this at all related to how you set the 'Key Type' under ClearPass Onboard > Onboard + Workspace > Deployment and Provisioning > Provisioning Settings > <Your profile> > General Tab?

 

I have seen had issues in the past with this setting and what type of information gets sent during an authentication request.

 

Cheers

 

Contributor II

Re: Onboarded iOS devices not using onboard repository

Hi all,

 

I am facing the same issue. I have deleted client certificate from onboard. But he is still able to authenticate and get the acccess to the network.

 

I understood that in EAP-TLS method, I didnt enable OSCP pr OSCP url.

And in certificate authority , we said do not include OSCP responder URL.

 

So its not checking the validity of the certificate.

 

Are above things are making iOS device to get onto the network???

 

Thanks & Regards

Srikanth Soogoor

Aruba

Re: Onboarded iOS devices not using onboard repository

Unless ocsp is enable the client will be able to get online
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: Onboarded iOS devices not using onboard repository

So i have to include ocsp in CA.

And also in EAP-TLS method ri8?

 

Thanks

Srikanth Soogoor

Aruba

Re: Onboarded iOS devices not using onboard repository

If the ocsp is in the cert from the CA the client should reject itself. If you have CPPM check ocsp and you have local host as the address it will look in its repository for cert/client validity
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: