Wireless Access

Anyone have any success with authenticating handhelds via a cert-based SSID in conjunction with MobileIron?  I don't want users to enter any AD creds.  MobileIron is pushing out a cert to the end devices.  Trusted CA cert from MobileIron has been uploaded to the controller.  Need to configure the SSID and authentication correctly to allow devices on the network.  Very simple...if you have the cert, you're on.  No AD in the picture.

Have Clearpass, but would rather avoid that for now and do all of this through the controller. 

You would just need to upload the CA cert to the controller and enable termination.

ClearPass would be the better solution though.


Thanks,
Tim

Hi Tim. Thanks for the quick reply.

Already uploaded the CA cert to the controller and enabled termination prior to the post, both are unsuccesful. Ironically, TAC told me to disable termination.  Here is a screen shot of my 802.1x Auth profile where I'm referencing the CA Cert that I uploaded:

 

 

Clearpass is at the top of my Enemy list right now, so it would be a last resort.  Don't want to take the next 2 months figuring out how to marry it and our Mobile Iron box. :-)

Try issuing the controller a server cert from the same CA and selecting it on that screen. Also, try enabling debugging on a user and looking at the auth-tracebuf and user logs.


Thanks,
Tim

No dice buddy.  Tried a Server Cert and a CA Cert with termination and we have no love. 

What do the logs show?

Auth-trace buff shows this:

 

It tries this a few times, hangs, and then the phone says it's unable to connect.  Have a call with TAC in a minute, so we'll see what they say. 

Found the issue before speaking with TAC.  Our Mobile Iron sits in a DMZ with a non-10.x.x.x address like the rest of our environment.  Had to enter a route on the controller for that DMZ network.  For everyone who is trying to authenticate with a cert only, here are the settings that worked:

 

1. upload the Trusted CA cert and a Server CRT to the controller.  In my case, I had a Mobile Iron Trusted CA cert, as well as a wildcard cert that encompased all servers in our domain, i.e. *.mydomain.com.

 

2. Create a role for AAA to use to allow/deny access and apply policies. For our requirements I created a policy blocking access to all internal resources, with the exception of ClearPass IP's, DC's for DHCP and DNS, and the MobileIron IP.  

 

3.  Created a L2 802.1x auth profile.  In the Advanced Tab I selected "termination" and "eap-tls". No inner-EAP type was selected because we're authenticating with a cert only.  Further down I selected the Mobile Iron CA-Cert from the drop-down, the the company Wild Card cert for Server-Cert.

 

4.  Created a AAA profile and added to role created in Step 2 to the Inital Role and the 802.1x Authentication Default Role.  I also added the 802.1x Authentication profile created in Step 3. 

 

5.  Created a new VLAN and L3 address for the Mobile Wi Fi SSID.

 

6.  Created a Virtual AP with the new VLAN and AAA Profile.  Created a new SSID profile using WPA2-AES as the encryption type. 

 

7. Added the Virtual AP to the remaining AP Groups in the building.  

 

Hope this helps someone out there who is trying to do the same. Thanks for the guidance Tim!