09-16-2015 02:22 AM
I've just been looking into using onboard to configure access from my iphone to my test SSID using EAP-TLS with an ocsp enabled tls auth method. Works just fine. However, the client cert issued is only valid for an hour. Can you change the length of time before the cert expires? Having got this working last night, came in to work this morning to find auths failing because the cert had expired. Got things worked again by reprovisioning the device, but I'm fairly sure I shouldn't have to do that every hour! What am I missing?
09-16-2015 02:26 AM
09-16-2015 03:32 AM
Hmmm, I've got this CA defined which shows a validity period of 365 - the default value. The 2nd image shows that the cert valid time was 1 hour. Image doesn't show it but the cert was generated from the show cert authority. I'll try setting the validity period to something other than the default to see if it makes a difference. BTW I'm running 6.5.3 on my dev server.
09-24-2015 08:45 AM
o.k. current update
Support engineer wants to create an onboarding service from scratch. What I was doing before was authenticating onto eduroam using eap-peap and then accessing https://clearpassdev.york.ac.uk/guest/device_provisioning3.php which then configured my iphone to use eap-tls. Everything worked except for the fact that the cert length was 1.5 hours.
Now the intention is to use the clearpass template for creating onboarding servicesto set things up and access it from an open network.
So ... created ssid alexs-portal and set things up so that when you connect to it via a web browser you get directed to the device provisioning url above. You then get prompted for a username and password .... so i created one inthe local user database and added ldb to the 3 services created from the template.
Three templates are created
Problem is that the conditions specified in the services aren't met and the request hits another service instead. I *think* I'm supposed to hit
So what are you supposed to oo to hit this service? Is it something you set up on the controller? AFAIK I'm just sitting on an open network trying to connect to http://clearpassdev.york.ac.uk/guest/device_provisioning3.php, which it must be doing because I'm at a screen that prompts you to authenticate.
09-24-2015 08:48 AM
09-24-2015 08:56 AM
controller so that I can connect via an open access SSID to inboke the
same URL that I got working before. My version used 2 cppm services instead
of 3 though. So under what conditions would the imaged service actually be