Security

Reply
Aruba Employee
Posts: 5
Registered: ‎10-08-2015

[onboard device repository] is NOT chosen as authentication source after onboarding window PC

i'm testing CPPM 6.5 onboarding with the provided templates (3 services).

Andirod and iOS worked find as using EAP-TLS.

But the windows mechine failed the second RADIUS authentication after provisioning. QuickConnect uses PEAP and MSCHAPv2 for windows and CPPM didn't choose [onboard device repository] as the authentication source although it has been configured in the service. Instead, it uses the AD with the unique credential, 'username:26:OnboardDevice' as full username in my case, and it fails...

RADIUS return Err 216. 

RADIUSMSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: AD status:Logon failure (0xc000006d)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure

on the onboard side, i've seen the device been onboarded and cert has been issued.

 

anyone has the similar problem and know how to solve this?

 

 

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

What version of Windows? It looks like you're using the unique credential option which is PEAP. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 5
Registered: ‎10-08-2015

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

Windows 7 Service Pack 1 

it's recognized correctly on the onborad side.

but it show 

Radius:Aruba:Aruba-Device-TypeWin XP

on the policy manger side.

Aruba Employee
Posts: 5
Registered: ‎10-08-2015

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

i think the unique credential option - PEAP for windows is the default configure.

when i changed it to TLS, it works fine.because it always hit the first enforcement conditions, which just check the authentication method.

below is my 802.1x service configure, which is pretty much the default.

dot1x service.JPG

enforcement.JPG

anyway, PEAP should work as well...

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

[ Edited ]

Can you post a screenshot of the access tracker request tabs?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 5
Registered: ‎10-08-2015

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

AT request.JPG

 

AT-1.JPG

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

Try removing the strip username rules from the authentication tab and see if
it works. Onboard unique credentials are not design to have a UPN. If that
ends up working, you'll have to tweak your SQL queries.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 5
Registered: ‎10-08-2015

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

yep! it works without the strip username rules.

it's just a testing environment but it's good to know the trick.

would this be improved in the future release?

anyway, thank you Tim for your help and quick response!!

 

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: [onboard device repository] is NOT chosen as authentication source after onboarding window PC

Unique PEAP credentials generally aren't used anymore. If you want to use them, you'll need to modify the SQL query on onboard device repository to use Full-Username instead of Username. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: