Security

Reply
MVP
Posts: 1,395
Registered: ‎05-28-2008

clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

Hi Guys,

I deployed a small POC of clearpass.

i configured onboard process in front of Aruba controller & Radius Server.

I keep getting auth failed: because it's seems like the clearpass/device sending username and extra unneeded stuff:\

 

why it does it? here in the example the username is pelegw...

the clearpass changing it to: pelegw:10:mdps_generic

 

 

adiusServer.Radius - reqst_update_state: Access-Challenge 13:76:206432156034:0x00410055009000902b00000012d624c17e47ce52b81d080a6711508d
2013-07-09 12:38:52,822[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "onbaord-shabA2013 Onboard Provisioning - Aruba" - 14:234:206432156034
2013-07-09 12:38:52,822[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_sql: searching for user sheba\pelegw:10:mdps_generic in Local:localhost
2013-07-09 12:38:52,823[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_sql: searching for user sheba\pelegw:10:mdps_generic in Local:localhost
2013-07-09 12:38:52,823[Th 1 Req 44 SessId R00000022-01-51dbda2c] INFO RadiusServer.Radius - rlm_ldap: searching for user sheba\pelegw:10:mdps_generic in AD:172.21.3.1
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 8,208
Registered: ‎09-08-2010

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

You could try stripping the extra text in the service policy under authentication.

 

strip un.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

Thanks for the info.
so i should write there:

user::

right ? because i dont need what after the :
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

i want to change this cppm output:
pelegw:10:mdps_generic
to this:
pelegw
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 8,208
Registered: ‎09-08-2010

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

[ Edited ]

That should work. The resulting request would be sheba\pelegw .

 

I would also open a TAC case just to find out why it is making the AD request with that extra information. This does not seem to be normal behavior.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

user:
didnt work - cppm didnt alloed me to save it.
user::
didnt work - cppm didnt allowed me to save it
user:m
worked.
now lets test with the client that it's really working and stripping the username in the right way
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

it will not work...

because it's no m after the username

it's a number - a changing number...

why the hell the cppm add it to the username?

Capture.PNG

please advise. (you can see in the above screenshot that with out all this addon it's working great)

 

thanks me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

[ Edited ]

you think this should do it ?
Strip Username Rules: user:1,user:2,user:3,user:4,user:5,user:6,user:7,user:8,user:9

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

still dosent work.

even due i add the following strip to the name:

user:1,user:2,user:3,user:4,user:5,user:6,user:7,user:8,user:9

Capture.PNG

i still dont understand why clearpass onboard changing the username to:

pelegw:7:mdps_generic
 
and how to fix it...
 
please advise...
 

after onboarding..and checking the profile on the andoird device it's seems the the onboard adding a strange string to the username...what causing if to fail when try to connect to the enteprise network...

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,395
Registered: ‎05-28-2008

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

it's like sending the unique device name + user prefix as username to the wifi network profile that been created after the onboarding process on the android itself.... please advise
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: