Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

[onboard device repository] is NOT chosen as authentication source after onboarding window PC

This thread has been viewed 3 times

  • 1.  [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 01:23 PM

    i'm testing CPPM 6.5 onboarding with the provided templates (3 services).

    Andirod and iOS worked find as using EAP-TLS.

    But the windows mechine failed the second RADIUS authentication after provisioning. QuickConnect uses PEAP and MSCHAPv2 for windows and CPPM didn't choose [onboard device repository] as the authentication source although it has been configured in the service. Instead, it uses the AD with the unique credential, 'username:26:OnboardDevice' as full username in my case, and it fails...

    RADIUS return Err 216. 

    RADIUSMSCHAP: AD status:Logon failure (0xc000006d)
    MSCHAP: AD status:Logon failure (0xc000006d)
    MSCHAP: Authentication failed
    EAP-MSCHAPv2: User authentication failure

    on the onboard side, i've seen the device been onboarded and cert has been issued.

     

    anyone has the similar problem and know how to solve this?

     

     



  • 2.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 01:28 PM
    What version of Windows? It looks like you're using the unique credential option which is PEAP. 


    Thanks, 
    Tim


  • 3.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 01:37 PM

    Windows 7 Service Pack 1 

    it's recognized correctly on the onborad side.

    but it show 

    Radius:Aruba:Aruba-Device-TypeWin XP

    on the policy manger side.



  • 4.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 01:58 PM

    i think the unique credential option - PEAP for windows is the default configure.

    when i changed it to TLS, it works fine.because it always hit the first enforcement conditions, which just check the authentication method.

    below is my 802.1x service configure, which is pretty much the default.

    dot1x service.JPG

    enforcement.JPG

    anyway, PEAP should work as well...



  • 5.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 02:14 PM

    Can you post a screenshot of the access tracker request tabs?



  • 6.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 02:21 PM

    AT request.JPG

     

    AT-1.JPG



  • 7.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC
    Best Answer

    EMPLOYEE
    Posted Oct 08, 2015 02:23 PM
    Try removing the strip username rules from the authentication tab and see if
    it works. Onboard unique credentials are not design to have a UPN. If that
    ends up working, you'll have to tweak your SQL queries.


  • 8.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC
    Best Answer

    EMPLOYEE
    Posted Oct 08, 2015 02:36 PM

    yep! it works without the strip username rules.

    it's just a testing environment but it's good to know the trick.

    would this be improved in the future release?

    anyway, thank you Tim for your help and quick response!!

     



  • 9.  RE: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

    EMPLOYEE
    Posted Oct 08, 2015 02:39 PM
    Unique PEAP credentials generally aren't used anymore. If you want to use them, you'll need to modify the SQL query on onboard device repository to use Full-Username instead of Username. 


    Thanks, 
    Tim