Security

Reply
Occasional Contributor I

Re: iOS OnBoarding issue

Hello,

 

Did not help. We tried to use new iphone 4 and new user, please see the logs what it generates in attachment.

 

After successfully installing the root cert and  profile and switching to the 802.1x SSID, it says the same can not join -error. 

 

Its using method EAP-TLS but not matching any authentication sources. In Onboard devices we see new entry: "<username>:33:mdps_generic"

Guru Elite

Re: iOS OnBoarding issue

You should probably open a TAC case.  It is not obvious to me why this is happening.  TLS Certificates in the Onboard Repository should just have a username and not mdps_generic... unless I am wrong...

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor I

Re: iOS OnBoarding issue

iOS devices will use EAP-TLS and the CN on the cert will be their username.  Other devices will use EAP-PEAP and their unique credentials will be username:somenumber:mdps_generic.  I have noticed that in ClearPass 6.1.0, iOS devices will show up in the OnBoard Devices identity store with username:somenumber:mdps_generic as their device name - this was not the case in earlier versions of ClearPass.  

 

In your 802.1X service, you should be using the EAP-TLS with OCSP auth method rather than the EAP-TLS method.  In the EAP-TLS with OCSP auth method, make sure the OCSP responder URL is correct and matches that of the CA you are using for Onboarding (you may have to create a copy and modify it).  Also, try unchecking "Authorization Required" in the EAP-TLS with OCSP auth method.

 

Occasional Contributor I

Re: iOS OnBoarding issue

cjoseph: thanks for your comments, I will create the TAC case if there wont be a solution through this board :)

 

xdrewpjx: Thanks for your suggestion and information regarding the iOS login process. I modified the service as you suggested, now using "copy of EAP-TLS with OCSP enabled" (without authorization). Method order is:

1. Copy_of_[EAP TLS With OCSP Enabled]
2. [EAP PEAP]
3. [EAP FAST]
4. [EAP TTLS]

 

I added the OCSP to the provisioning settings, the CA is the OnBoard itself so the default link should be fine. I can not test it today as I need someone with an iOS device to test it. Ill ask someone to test tomorrow.

 

Could you please clarify, should the [Onboard Devices Repository] be the only authentication source in my 802.1x service?

 

Thanks!

Frequent Contributor I

Re: iOS OnBoarding issue

Yes, if you uncheck "authorization required" in the EAP-TLS auth method, you can use only the OnBoard Devices Repository as an Authentication Source.  Attached is a screenshot of my lab setup. 

Occasional Contributor I

Re: iOS OnBoarding issue

Ah thanks, it seems you have lots more going on in there than I do. In my lab I merely have the basic service and nothing fancy. The enforcement policy just sends out the RADIUS accept and role "BYOD" which is "allowall" on the WLC. You can check my service out from the attachment.

Occasional Contributor I

Re: iOS OnBoarding issue

xdrewpjx: very big thanks for your advice, it was absolutely the solution. 

Trusted Contributor I

Re: iOS OnBoarding issue

I've run nto the same issue of "[Onboard Devices Repository] - localhost: User not found."  My authentication source included the onboard respository and EAP-TLS method had authorization disabled.

 

I opened a TAC case and their solution was to remove the enforcement policy condition I created that included onboard device respository as the authentication source.  Their explanation was that for EAP-TLS authentication, an authentication source is not needed since the certificate is validated and revocation status is checked.

 

I verified that revoking my certfiicate resulted in an authentication failure.  For grins, I disabled the my iPad in the onboard respository, but the iPad still authenticated.  This makes sense now given the onboard repositiory isn't being checked during authentication.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Contributor II

Re: iOS OnBoarding issue

Having basically the same issue, now CPPM is asking for password to access network.  This happens before IOS device starts Onboarding.

Guru Elite

Re: iOS OnBoarding issue

james.king,

 

The last post in this thread was from 2013.  Do you want to state your issue in detail so everyone knows what you are talking about?

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: