Security

Reply
Occasional Contributor II

Wireless User cant Authenticate to ClearPass

Hi

 

I have a setup of CP, Instant Aruba AP, and a wireless user.

The CP and AP configured to authenticate the wirless SSID users, but the wireless users cant autheticate to CP, when connecting to SSID its asking for the authentication (which configured as Local-Auth in CP), I enetr the credentials but its not connecting.

And in CP tracker I got the attached error message.

 

Is it required to configure something in the wireless clients to enable the 802.1x over wireless?

 

Regards

Mahmoud

Mahmoud
Guru Elite

Re: Wireless User cant Authenticate to ClearPass

Did you see the video here?  http://community.arubanetworks.com/t5/Video/VIDEO-802-1X-Authentication-with-Aruba-Instant-and-ClearPass/ta-p/69946

 

It should answer many of your questions.

 

You should try the authentication with a mobile phone, first as it is easier to connect to 802.1x

 

Does your ClearPass server have a server certificate?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Wireless User cant Authenticate to ClearPass

Hi

 

Yes I followed the same steps in my setup, but I got the same error.

Attached the Access-tracker logs and the used service configuration.

 

I tried to authenticate using smart phone and succeeded.

 

Thanks

Mahmoud
Occasional Contributor II

Re: Wireless User cant Authenticate to ClearPass

I can see from the access tracker that client is sending Auth request over EAP-TLS, but the CP server dont have certificate, so how to configure client to disable server verification for wireless adapter (I disabled it for the wired adapter).

 

And do I have to enable some service in the Client Windows machine (like the "wired-Auto-Config" for the wired adapter).

 

Thanks

 

Regards

Mahmoud

Mahmoud
MVP

Re: Wireless User cant Authenticate to ClearPass

Is it not an option to add a valid certificate to ClearPass and use EAP-TLS?

 

 

 

 

Occasional Contributor II

Re: Wireless User cant Authenticate to ClearPass

I dont have valid certificate in Clear Pass, and I dont want to use a certificate.

So do I have to change something in the wireless client and the ClearPas service?

 

 

Mahmoud
Occasional Contributor II

Re: Wireless User cant Authenticate to ClearPass

Now The wireless users can authenticate...

I changed the SSID settings in the client machine (WPA2-Enterprise, AES, PEAP).

 

But Now I have a new issue;

I am trying to do healthcheck for the client (installed onguard agent) before it get access.

So I modified the CP service and added an enforcement rule in the used service to check for the healthy status before allowing the access for this user.

Also I created a another service (WEb-Auth) for the agent checkup.

 

but now the client cant connect and the client is assigned the default reject profile.

 

Mahmoud

 

Mahmoud
MVP

Re: Wireless User cant Authenticate to ClearPass

Can you show or explain the enforcement rules? Is it first-applicable or match all?

Occasional Contributor II

Re: Wireless User cant Authenticate to ClearPass

Its first applicable.

Attached the used services details snapshots.

 

When the client first connects it will match the third enforcemnet rule (deny-access) beacuse the health check was not done yet.

But the process stops there and WEBAUTH (agent) service not checked per to access tracker logs.

Maybe because the client assigned to deny-access profile so the installed agent in client PC will not be able to communicate with CP to proceed for WEBAUTH service checkup.

so  how to force the client agent to do healthcheck....

 

What do you see?

 

Mahmoud

Mahmoud
MVP

Re: Wireless User cant Authenticate to ClearPass

You should make the first rule one that matches on health status unknown and accept but return to a limited role, which allows the webauth to work. You can also give the user access to a page to download the agent (in case he doesn't have it). You just need to add to the web auth that if status is healthy that he gets the healthy (authenticated) role. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: