Security

Hi

I have a setup of CP, Instant Aruba AP, and a wireless user.

The CP and AP configured to authenticate the wirless SSID users, but the wireless users cant autheticate to CP, when connecting to SSID its asking for the authentication (which configured as Local-Auth in CP), I enetr the credentials but its not connecting.

And in CP tracker I got the attached error message.

Is it required to configure something in the wireless clients to enable the 802.1x over wireless?

Regards

Mahmoud

Did you see the video here?  http://community.arubanetworks.com/t5/Video/VIDEO-802-1X-Authentication-with-Aruba-Instant-and-ClearPass/ta-p/69946

It should answer many of your questions.

You should try the authentication with a mobile phone, first as it is easier to connect to 802.1x

Does your ClearPass server have a server certificate?

Hi

Yes I followed the same steps in my setup, but I got the same error.

Attached the Access-tracker logs and the used service configuration.

I tried to authenticate using smart phone and succeeded.

Thanks

Attachment(s)

Logs.zip   4 KB 1 version

I can see from the access tracker that client is sending Auth request over EAP-TLS, but the CP server dont have certificate, so how to configure client to disable server verification for wireless adapter (I disabled it for the wired adapter).

And do I have to enable some service in the Client Windows machine (like the "wired-Auto-Config" for the wired adapter).

Thanks

Regards

Mahmoud

Is it not an option to add a valid certificate to ClearPass and use EAP-TLS?

I dont have valid certificate in Clear Pass, and I dont want to use a certificate.

So do I have to change something in the wireless client and the ClearPas service?

Now The wireless users can authenticate...

I changed the SSID settings in the client machine (WPA2-Enterprise, AES, PEAP).

But Now I have a new issue;

I am trying to do healthcheck for the client (installed onguard agent) before it get access.

So I modified the CP service and added an enforcement rule in the used service to check for the healthy status before allowing the access for this user.

Also I created a another service (WEb-Auth) for the agent checkup.

but now the client cant connect and the client is assigned the default reject profile.

Mahmoud

Can you show or explain the enforcement rules? Is it first-applicable or match all?

Its first applicable.

Attached the used services details snapshots.

When the client first connects it will match the third enforcemnet rule (deny-access) beacuse the health check was not done yet.

But the process stops there and WEBAUTH (agent) service not checked per to access tracker logs.

Maybe because the client assigned to deny-access profile so the installed agent in client PC will not be able to communicate with CP to proceed for WEBAUTH service checkup.

so  how to force the client agent to do healthcheck....

What do you see?

Mahmoud

Attachment(s)

Captures.zip   120 KB 1 version

You should make the first rule one that matches on health status unknown and accept but return to a limited role, which allows the webauth to work. You can also give the user access to a page to download the agent (in case he doesn't have it). You just need to add to the web auth that if status is healthy that he gets the healthy (authenticated) role. 

Hi

Please explain more as I didnt get what/Where rules I have to create.

Thanks 

Short steps:

1. Service dot1x : Move rule (client = not healthy) to top
2. Service dot1x : rule (client = not healthy), change deny to accept and return user role 'quarantined' (for controllers)
3. Controller configuration: role 'quarantined' + ACLs limiting access on network
4. Service webauth & dot1x : rule (client = healthy), return user role 'authenticated'

Reasoning:

1. proper flow, personal preference in order :)
2. Allow unhealthy user to network but return with limiting role. User needs to be on the network for web auth to work. 
3. Configuration of the role on the controller
4. Allow the user to move from the 'quarantined' role to the 'authenticated' healthy role. Authenticated role will allow access to the network as intended. 

Hope that's clear?

Kind regards,

jcelis

Hi jcelis

Yes its very clear now (thanks).

But the issue I have now is that the controller is Fortinet controller and not Aruba controller.

So am not sure If I can push the role name to it.

But in the worst case (if we cant push the role name to fortinet), then is there a work arround for this to work as expected.

Thanks

Mahmoud

Hi,

There is a document on the support website called:

CPPM TechNote - 3rd Party Enforcement Points (Fortinet) V1.1.pdf

might have something useful. 

Kind regards,

jcelis