Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Win10 onboarding with QuickConnect

This thread has been viewed 5 times

  • 1.  Win10 onboarding with QuickConnect

    Posted Aug 18, 2016 04:48 PM

    Hello all,

     

    With students returning, we've run into an onboarding issue with our Win10 clients. The onboard process (using certs from CPPM CA) has always worked flawlessly even with Win10 clients until a few weeks ago. We've started seeing clients that will not connect to our SSID after going through the QuickConnect app. I've verified that the personal cert is added and the profile is created.

     

    What works is if you go into the wireless profile settings in Windows, forget the network, connect to it again in that same window and then click the little link that says "use a certificate". Is this something that has changed with Win10 or perhaps when I upgraded the CPPM to 6.5.6?

     

    Has anyone else encountered this?

     



  • 2.  RE: Win10 onboarding with QuickConnect

    EMPLOYEE
    Posted Aug 18, 2016 04:50 PM
    What exactly happens post Onboard when it tries to connect?

    Does it just fail? Is there an error?


  • 3.  RE: Win10 onboarding with QuickConnect

    Posted Aug 18, 2016 04:55 PM
    QuickConnect itself just fails with a "failed to authenticate" (not sure if that is verbatim) error. Windows says something similar...perhaps "cannot connect to this network". I'll grab exact errors next time I see it. It is as though it isn't trying to use the cert to auth. I suppose I can see what Access Tracker is doing as well. I just figured I would see if anyone else has seen it.


  • 4.  RE: Win10 onboarding with QuickConnect
    Best Answer

    Posted Aug 19, 2016 09:49 AM

    I just received the release notes for CPPM 6.5.7.

     https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22498

    In the "issues fixed" I see this:

    #35044 Devices running Windows 8 or higher could not connect to the secure SSID after onboarding if the TLS client certificate private key was configured to be generated by Onboard.

    I'm pretty sure that is what we are running into. I'm just surprised that more people haven't encountered this bug.



  • 5.  RE: Win10 onboarding with QuickConnect

    EMPLOYEE
    Posted Aug 19, 2016 09:56 AM
    You have ClearPass generating the key and not the device?


  • 6.  RE: Win10 onboarding with QuickConnect

    Posted Aug 19, 2016 09:58 AM

    I guess I'm not sure. Where is that setting?



  • 7.  RE: Win10 onboarding with QuickConnect

    EMPLOYEE
    Posted Aug 19, 2016 10:00 AM
    In your CA configuration.


  • 8.  RE: Win10 onboarding with QuickConnect

    Posted Aug 19, 2016 10:02 AM

    Ah, I see it now. The CA config has not been altered since we set it up 3 years ago. Are ther any benefits/drawbacks to doing it one way or the other?



  • 9.  RE: Win10 onboarding with QuickConnect

    EMPLOYEE
    Posted Aug 19, 2016 10:04 AM
    Generating the private key on the device is generally considered more secure.

    Generating the key in ClearPass allows you to export the certificate with private key from ClearPass.


  • 10.  RE: Win10 onboarding with QuickConnect

    Posted Aug 19, 2016 10:13 AM

    And I assume I can change this to "created by device" for testing and then set it back if things go haywire. Am i correct? This doesn't completely alter the CA and existing certs does it?



  • 11.  RE: Win10 onboarding with QuickConnect

    EMPLOYEE
    Posted Aug 19, 2016 10:15 AM
    I have not tested that so I'm not comfortable answering. You may want to reach out to Aruba TAC before making changes.