Security

Hi,
Is anyone seeing issue with pixel-4 / Android 11 and  Clearpass guest

cppm 6.10.1
Aruba Instant 8.9

Certificates generated using LetsEncrypt

At the end of my list of services I have a catch all one that sends an Access-Reject

been running a guest service for months just fine, just registered my iphone on it and  works just fine, other users not had an issue. Guest  service generated via cppm template

When pixel/A11 users click on the login button, they just keep looping round to the login page.

Looking at the logs, I can see the pixel mac address in Access-Tracker, but whatever it does it ends up in my catchall service at the bottom and not hitting either the mac auth service or the mac auth with caching service even though it looks as if  all the selection criteria for those services are correct.

As I said, iPhone works just fine, 2 pixel-4/A11 clients ... do the same thing.

Might it be something to do with the A11 not recognising the CA of the login page ?

A

------------------------------
Alex Sharaz
------------------------------

Could you share the screenshot of the MAC Auth as well as Caching service conditions along with the Dashboard details of the failed request from Pixel?
Also, irrespective of the MAC auth status, if the user is able to get onto the login page, do you see a request on Access Tracker with the username used to log in over the page? If not then the client is having issues in submitting the credentials to the Wireless Controller ( If the POST fails, you will not see user request on Access Tracker ).
Also, do you get a pop-up window while connecting to the SSID during the portal redirection or are you manually navigating to a website to get redirected?

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software
------------------------------

Original Message:
Sent: Sep 14, 2021 04:27 PM
From: Alex Sharaz
Subject: Issue with pixel-4,Android 11 and clearpass guest

Hi,
Is anyone seeing issue with pixel-4 / Android 11 and  Clearpass guest

cppm 6.10.1
Aruba Instant 8.9

Certificates generated using LetsEncrypt

At the end of my list of services I have a catch all one that sends an Access-Reject

been running a guest service for months just fine, just registered my iphone on it and  works just fine, other users not had an issue. Guest  service generated via cppm template

When pixel/A11 users click on the login button, they just keep looping round to the login page.

Looking at the logs, I can see the pixel mac address in Access-Tracker, but whatever it does it ends up in my catchall service at the bottom and not hitting either the mac auth service or the mac auth with caching service even though it looks as if  all the selection criteria for those services are correct.

As I said, iPhone works just fine, 2 pixel-4/A11 clients ... do the same thing.

Might it be something to do with the A11 not recognising the CA of the login page ?

A

------------------------------
Alex Sharaz
------------------------------

Keep in mind that after clicking logon it is your controller/instant cluster's certificate that is checked, not the clearpass cert.
That said, this doesn't seem to be your problem.

If a client does nto match the any service you want to make sure it does.. Usually the simplest of things to fix.
Compare what you see for the clients failed request to the service you expect the client to use. The difference between those 2 should give you plenty info.

If you have configured WPA3 enhanced open, your android might be using it. Enhanced open uses a different SSID from normal open, so if you use the aruba-essid condition you might need to add the enhanced open aruba-essid.

------------------------------
Koen V
------------------------------

Original Message:
Sent: Sep 14, 2021 04:27 PM
From: Alex Sharaz
Subject: Issue with pixel-4,Android 11 and clearpass guest

Hi,
Is anyone seeing issue with pixel-4 / Android 11 and  Clearpass guest

cppm 6.10.1
Aruba Instant 8.9

Certificates generated using LetsEncrypt

At the end of my list of services I have a catch all one that sends an Access-Reject

been running a guest service for months just fine, just registered my iphone on it and  works just fine, other users not had an issue. Guest  service generated via cppm template

When pixel/A11 users click on the login button, they just keep looping round to the login page.

Looking at the logs, I can see the pixel mac address in Access-Tracker, but whatever it does it ends up in my catchall service at the bottom and not hitting either the mac auth service or the mac auth with caching service even though it looks as if  all the selection criteria for those services are correct.

As I said, iPhone works just fine, 2 pixel-4/A11 clients ... do the same thing.

Might it be something to do with the A11 not recognising the CA of the login page ?

A

------------------------------
Alex Sharaz
------------------------------