Security

Reply
Super Contributor II

changing client license expiry date

Hi,

I've just been looking into using onboard to configure access from my iphone to my test SSID using EAP-TLS with an ocsp enabled tls auth method. Works just fine. However, the client cert issued is only valid for an hour. Can you change the length of time before the cert expires? Having got this working last night, came in to work this morning to find auths failing because the cert had expired.  Got things worked again by reprovisioning the device, but I'm fairly sure I shouldn't have to do that every hour! What am I missing?

 

Rgds

A

Guru Elite

Re: changing client license expiry date

The certificate expiration is set under the Certificate Authority configuration. You'll see a client certificate expiration/lifetime option. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: changing client license expiry date

Hi,

Hmmm, I've got this CA defined  which shows a validity period of 365 -  the default value. The 2nd image shows that the cert valid time was 1 hour. Image doesn't show it but the cert was generated from the show cert authority. I'll try setting the validity period to something other than the default to see if it makes a difference. BTW I'm running 6.5.3 on my dev server.

CA config.png

 

cert timestamp.png

Guru Elite

Re: changing client license expiry date

That cert definitely came from that CA and not the default built in one? 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: changing client license expiry date

Yup, but the default one has a validity time of 365 as well. If I manually create a client cert, then it does get the 1 year validity time.

 

Signing Cert.png

 

Super Contributor II

Re: changing client license expiry date

Only seems to be when onboard generates the cert.

Super Contributor II

Re: changing client license expiry date

As an update,

Had a remote session with Aruba and the engineer has gone away to look at things. Might need another remote session

A

Super Contributor II

Re: changing client license expiry date

o.k. current update

Support engineer wants to create an onboarding service from scratch. What I was doing before was authenticating onto eduroam using eap-peap and then accessing https://clearpassdev.york.ac.uk/guest/device_provisioning3.php which then configured my iphone to use eap-tls. Everything worked except for the fact that the cert length was 1.5 hours.

 

Now the intention is to use the clearpass template for creating onboarding servicesto set things up and access it from an open network.

 

So ... created ssid alexs-portal and set things up so that when you connect to it via a web browser you get directed to the device provisioning url above. You then get prompted for a username and password .... so i created one inthe local user database and added ldb to the 3 services created from the template.

Three templates are created

 

.... Provisioning

..... Authorization

...... Pre-Auth

 

Problem is that the conditions specified in the services aren't met and the request hits another service instead. I *think* I'm supposed to hit

 

onboard pre-auth.png

So what are you supposed to oo to hit this service? Is it something you set up on the controller? AFAIK I'm just sitting on an open network trying to connect to http://clearpassdev.york.ac.uk/guest/device_provisioning3.php, which it must be doing because I'm at a screen that prompts you to authenticate.

 

A

Guru Elite

Re: changing client license expiry date

The services on the policy manager side generally don't have anything to do
with the certificate properties. They're just to authorize the user to be
able to Onboard and override things like max device count.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: changing client license expiry date

Well that's what I thought, all I'm doing now is setting up a mobility
controller so that I can connect via an open access SSID to inboke the
same URL that I got working before. My version used 2 cppm services instead
of 3 though. So under what conditions would the imaged service actually be
reached?

Rgds
A
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: