07-10-2016 06:09 AM
I have a setup of CP, Instant Aruba AP, and a wireless user.
The CP and AP configured to authenticate the wirless SSID users, but the wireless users cant autheticate to CP, when connecting to SSID its asking for the authentication (which configured as Local-Auth in CP), I enetr the credentials but its not connecting.
And in CP tracker I got the attached error message.
Is it required to configure something in the wireless clients to enable the 802.1x over wireless?
Solved! Go to Solution.
07-10-2016 07:01 AM - edited 07-10-2016 07:02 AM
It should answer many of your questions.
You should try the authentication with a mobile phone, first as it is easier to connect to 802.1x
Does your ClearPass server have a server certificate?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
07-12-2016 12:19 AM
Yes I followed the same steps in my setup, but I got the same error.
Attached the Access-tracker logs and the used service configuration.
I tried to authenticate using smart phone and succeeded.
07-12-2016 12:45 AM
I can see from the access tracker that client is sending Auth request over EAP-TLS, but the CP server dont have certificate, so how to configure client to disable server verification for wireless adapter (I disabled it for the wired adapter).
And do I have to enable some service in the Client Windows machine (like the "wired-Auto-Config" for the wired adapter).
07-12-2016 03:52 AM
Now The wireless users can authenticate...
I changed the SSID settings in the client machine (WPA2-Enterprise, AES, PEAP).
But Now I have a new issue;
I am trying to do healthcheck for the client (installed onguard agent) before it get access.
So I modified the CP service and added an enforcement rule in the used service to check for the healthy status before allowing the access for this user.
Also I created a another service (WEb-Auth) for the agent checkup.
but now the client cant connect and the client is assigned the default reject profile.
07-12-2016 04:29 AM
Its first applicable.
Attached the used services details snapshots.
When the client first connects it will match the third enforcemnet rule (deny-access) beacuse the health check was not done yet.
But the process stops there and WEBAUTH (agent) service not checked per to access tracker logs.
Maybe because the client assigned to deny-access profile so the installed agent in client PC will not be able to communicate with CP to proceed for WEBAUTH service checkup.
so how to force the client agent to do healthcheck....
What do you see?
07-12-2016 04:33 AM
You should make the first rule one that matches on health status unknown and accept but return to a limited role, which allows the webauth to work. You can also give the user access to a page to download the agent (in case he doesn't have it). You just need to add to the web auth that if status is healthy that he gets the healthy (authenticated) role.