Security

Reply
Regular Contributor I

onboarded device won't use onboard repository

Hi Guys,

 

i am doing POC integration between clearpass and linux LDAP.

everything works fine with onboarding. users can onboard fine but the problem occur when the user authenticating using EAP-tLS.

my service quite simple, the auth method only allows EAP-TLS and the auth source only allows Onboard repository. expecting only TLS and onboarded devices can connect to this service.

 

but my onboarded device doesn't seem to be able to use this auth source. access tracker already showing the users using EAP-TLS but shows auth source as none.

 

CP onboard works as ROOT, i confirmed that the onboarding was a success, user cert already in the onboard repository, and user already manually picked the new cert when connecting to the SSID.

 

the Logs say:

INFO RadiusServer.Radius - rlm_sql: searching for user testing1 in Local:localhost

ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting

 

Any insight why clearpass does not use the onboard repository as the auth source eventhough that is the only auth source i have?

 

Ricky E. Lee
CWNA | ACMP | ACCP
Guru Elite

Re: onboarded device won't use onboard repository

You should have your identity store as the auth source.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: onboarded device won't use onboard repository

Hi Tim,

You mean my ldap server? But isnt the identity from ldap server already been generated as certificates by onboard and stored in the onboard repo itself?
Ricky E. Lee
CWNA | ACMP | ACCP
Guru Elite

Re: onboarded device won't use onboard repository

If you don't want to authorize against your identity store, then create an EAP-TLS method with authorization disabled.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: