Security

Hi Guys,

 

i am doing POC integration between clearpass and linux LDAP.

everything works fine with onboarding. users can onboard fine but the problem occur when the user authenticating using EAP-tLS.

my service quite simple, the auth method only allows EAP-TLS and the auth source only allows Onboard repository. expecting only TLS and onboarded devices can connect to this service.

 

but my onboarded device doesn't seem to be able to use this auth source. access tracker already showing the users using EAP-TLS but shows auth source as none.

 

CP onboard works as ROOT, i confirmed that the onboarding was a success, user cert already in the onboard repository, and user already manually picked the new cert when connecting to the SSID.

 

the Logs say:

INFO RadiusServer.Radius - rlm_sql: searching for user testing1 in Local:localhost

ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting

 

Any insight why clearpass does not use the onboard repository as the auth source eventhough that is the only auth source i have?

 

You should have your identity store as the auth source.

Hi Tim,

You mean my ldap server? But isnt the identity from ldap server already been generated as certificates by onboard and stored in the onboard repo itself?

If you don't want to authorize against your identity store, then create an EAP-TLS method with authorization disabled.