Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎08-07-2014

QuickConnect/onboard issue

I am trying to get Onboard working (actually had it working but then it stopped). I created Onboard a a ca, went through a tech note on how to create a single onboard ssid here, it was working but then now when devices need to reprovision the quickconnect app makes all the way through to the "checking connectivity" point and then times out and states there was a problem connecting to the network. In the ap logs I see entries stating radius reject for station <username><mac> from server Clearpass. and  Dropping the radius packet for station <mac> doing 802.1x, and client <mac> is failed to authenticate. Like I stated it was working with Android and windows clients I went to starting getting ios clients which I was having issues gettting going so I tried the working clients and found that they could not re-provision them selfs.....

Does anybody have any suggetions or know of any log files that I migth be able to get a better idea of what is going on? I have 2 other ssids for guest / staff traffic that do not use the Onboard piece. 

clearpass version - 6.3.4 - cp-va-500

ap Instants - ap-105

 

thanks for any ideas,

Jon

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: QuickConnect/onboard issue

What is access tracker showing?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎08-07-2014

Re: QuickConnect/onboard issue

It initially shows it going into a post-provision role, and then after the quick connect client times out it seems to show it go back into the pre-auth role

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: QuickConnect/onboard issue

Are you using EAP-TLS with OCSP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: QuickConnect/onboard issue

So the latest request is sending back a user role? No alert tab or anything?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎08-07-2014

Re: QuickConnect/onboard issue

Yes we have it setup with EAP-TLS with OCSP and EAP PEAP without Fast Reconnect - the defaults when I configured the Onboard service.

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: QuickConnect/onboard issue

Did you added the OCSP link from Onboard CA

 

2014-08-28 10_27_16-ClearPass Policy Manager - Aruba Networks.png

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: QuickConnect/onboard issue

Please post a screenshot of the access tracker request where you are seeing the issue.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎08-07-2014

Re: QuickConnect/onboard issue

first off thanks for the help.

yes It is there. I am seeing the quickconnect client step through the process and after qc toggles the adapter, it comes up, moves to checking connectivity and I noticed that the ssid is  disabled with in the client....

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: QuickConnect/onboard issue

At that point, do you see a request in access tracker? What is the EAP method? EAP-TLS or EAP-PEAP?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: