Security

Reply
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Win10 onboarding with QuickConnect

Hello all,

 

With students returning, we've run into an onboarding issue with our Win10 clients. The onboard process (using certs from CPPM CA) has always worked flawlessly even with Win10 clients until a few weeks ago. We've started seeing clients that will not connect to our SSID after going through the QuickConnect app. I've verified that the personal cert is added and the profile is created.

 

What works is if you go into the wireless profile settings in Windows, forget the network, connect to it again in that same window and then click the little link that says "use a certificate". Is this something that has changed with Win10 or perhaps when I upgraded the CPPM to 6.5.6?

 

Has anyone else encountered this?

 


Mike Naylor
The College of Wooster
Guru Elite
Posts: 8,040
Registered: ‎09-08-2010

Re: Win10 onboarding with QuickConnect

What exactly happens post Onboard when it tries to connect?

Does it just fail? Is there an error?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: Win10 onboarding with QuickConnect

QuickConnect itself just fails with a "failed to authenticate" (not sure if that is verbatim) error. Windows says something similar...perhaps "cannot connect to this network". I'll grab exact errors next time I see it. It is as though it isn't trying to use the cert to auth. I suppose I can see what Access Tracker is doing as well. I just figured I would see if anyone else has seen it.

Mike Naylor
The College of Wooster
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: Win10 onboarding with QuickConnect

[ Edited ]

I just received the release notes for CPPM 6.5.7.

 https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=22498

In the "issues fixed" I see this:

#35044 Devices running Windows 8 or higher could not connect to the secure SSID after onboarding if the TLS client certificate private key was configured to be generated by Onboard.

I'm pretty sure that is what we are running into. I'm just surprised that more people haven't encountered this bug.


Mike Naylor
The College of Wooster
Guru Elite
Posts: 8,040
Registered: ‎09-08-2010

Re: Win10 onboarding with QuickConnect

You have ClearPass generating the key and not the device?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: Win10 onboarding with QuickConnect

I guess I'm not sure. Where is that setting?


Mike Naylor
The College of Wooster
Guru Elite
Posts: 8,040
Registered: ‎09-08-2010

Re: Win10 onboarding with QuickConnect

In your CA configuration.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: Win10 onboarding with QuickConnect

Ah, I see it now. The CA config has not been altered since we set it up 3 years ago. Are ther any benefits/drawbacks to doing it one way or the other?


Mike Naylor
The College of Wooster
Guru Elite
Posts: 8,040
Registered: ‎09-08-2010

Re: Win10 onboarding with QuickConnect

Generating the private key on the device is generally considered more secure.

Generating the key in ClearPass allows you to export the certificate with private key from ClearPass.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 23
Registered: ‎02-28-2014

Re: Win10 onboarding with QuickConnect

And I assume I can change this to "created by device" for testing and then set it back if things go haywire. Am i correct? This doesn't completely alter the CA and existing certs does it?


Mike Naylor
The College of Wooster
Search Airheads
Showing results for 
Search instead for 
Did you mean: