Security

Reply
Occasional Contributor II
Posts: 10
Registered: ‎06-30-2015

User not found in onboard devices repository

Dear community,

 

I've been scratching my head over the following issue, I hope you guys can help.

 

I've got dual SSID onboarding set up using the built-in wizard and some minor adjustments to include AD auth. The process works fine until the device has been successfully onboarded and enters the  'Onboard Provisioning' service. I'm getting an authentication error telling me my username has not been found.

 

Debug log:

DEBUG RadiusServer.Radius - radius_xlat: 'SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('********')::text) AND (app_name = 'Onboard'))'
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Reserving sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User ******** not found
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): Released sql socket id: 31
DEBUG RadiusServer.Radius - rlm_sql (authsrc_5): User not found

I tinkered a bit with pgAdmin to test the query being used as filter in the authentication source.

 

SELECT user_credential(password) AS User_Password, CASE WHEN enabled = FALSE THEN 225 WHEN ((start_time > now()) OR ((expire_time is not null) AND (expire_time <= now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS Account_Status, sponsor_name FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = mdps_username_to_serial('%{Authentication:Username}')::text) AND (app_name = 'Onboard'))

I've isolated my issue to the following part of the query: 

(user_id = mdps_username_to_serial('%{Authentication:Username}')::text)

ClearPass fills this with my authenticated username and gets NULL in return. Removing this portion returns a user but I lose an important check. After reviewing the postgresql function it seems it expects more data in order to return anything but NULL.

 

RETURN CAST(substring(username from ':(\\d+):(OnboardDevice|mdps_generic)$') AS numeric);

Using a regex tool I found out if I provide data in the format <username>:<user id of onboarded device>:OnboardDevice, the onboard device filter query starts returning an entry.

 

Can anyone help me to finish my onboarding service so I can start using it? I feel I've already took a rather deep dive for something possibly quite trivial :-)

 

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: User not found in onboard devices repository

Did you use the service templates?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎06-30-2015

Re: User not found in onboard devices repository

Indeed I did, added some minor tweaks afterwards to use AD as auth source instead of guest repo.

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: User not found in onboard devices repository

Please share screenshots of your Onboard Authorization service.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 10
Registered: ‎06-30-2015

Re: User not found in onboard devices repository

Thanks for having a look Cappalli, I've included the screenshot of the authorization service. I have not changed this yet as I'm still working on the authentication part :-)

Aruba Employee
Posts: 512
Registered: ‎02-19-2015

Re: User not found in onboard devices repository

Arian,

 

I see in Authorization service, Active directory is not add in authorization list. Could you add and check the status.

 

Regards,

Pavan

If my post addresses, your query give kudos:)

Occasional Contributor II
Posts: 10
Registered: ‎06-30-2015

Re: User not found in onboard devices repository

Pavan, 

 

I did as you suggested without success. I don't see how changing my authorization service fixes the issue I have with my provisioning service?

 

 

Aruba Employee
Posts: 512
Registered: ‎02-19-2015

Re: User not found in onboard devices repository

Does AD is been added as authentication source in provision service? could you share access tracker log.

 

Regards,

Pavan

Occasional Contributor II
Posts: 10
Registered: ‎06-30-2015

Re: User not found in onboard devices repository

Dear Pavan,

 

The only place the AD is used for authentication is the pre-auth service, which works just fine. Like I explained, I can onboard devices without issues, but after this process the onboard device repository doesn't seem to return the username associated with the onboarded device, thus failing the authentication.

 

I've included the logs. Take note of especially the provisioning log related to the onboard device repository:

Trying to (re)connect unconnected handle 31..
Attempting to connect rlm_sql_unixodbc #31
Connected new DB handle, #31
User a.wubben not found
Released sql socket id: 31
User not found
Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: User not found in onboard devices repository

Please open a TAC case. It’s very difficult to troubleshoot on here.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: