I used the solution exchange (beta) tool for Wireless Onboard w/ Single SSID.
I started out simple by using a local account on ClearPass to perform an initial test to see if my config was working. It worked, generating a certificate and all expected database entries.
Issue is that I revoked and deleted the certificates from both ClearPass and the client. I'm intending to repeat the entire onboarding process again with the client, but this time using an Active Directory source.
I can;t seem to get the controller to pass the auth request to ClearPass now. The controller seems to be looking for a certificate before starting the authentication routine with ClearPass.
Nothing is seen in the ClearPass access tracker. The client message in Win7 shows a message that a certificate is required, and access is denied.
Is there some cache or setting I need to change in the controller to allow for the same machine to basically start-over in the single SSID Onboard process?
I'm using ClearPass 6.2 and AOS 6.3
The client is still in the user table most likely. From ssh on the controller do a show user and then a "aaa user delete <ip address of client>" and retest
Thanks Seth for the quick response.
I checked the user table and my client was not listed by ip
I did find it in the "show aaa device-id-cache" , which shows it by MAC address
However, I can't seem to figure out how to clear that table. Deleting the user by MAC does not work.
I could still change my process and go to a provisioning SSID, instead of the single SSID. If there are bugs in the AOS 6.3 related to single SSID BYOD with ClearPass, then I may need to switch to that immediately.
Deleting the SSID profile worked. Thanks a lot for the info.
Follow up questions:
Whenever a certificate is revoked, deleted or expired, it seems like the user will have to manually delete the SSID profile. Is this a minor nuisance that must be accepted when using a single SSID? (is there any workaround to reduce calls to IT, and make it more user friendly?)
You can setup a role to force a user to reonboard based on expireation date of the cert. For example I have mine based on a 2 week time period.
Dave did a great post on how to set it up.
There are some features in 6.3 that will aslo help with this.
Hey tarnold. This is good information. So what action are you taking once a client is found that fits into this category? Also can you elaboration on your statement about the 6.3 features that help out with this? thx
You can do one of two things
1. You can use the new feature in 6.3 that will send an email to the user that their cert is about to expire
2. You can use the same above plus the new feature so it will notify the user at a certian time and if they dont change the cert it will push them to the portal.
(per the .1x standard we are not alowed to allow a device to connect with an expired cert so this is a way to help prevent the user from just getting kicked off the network and not knowing why.)
So for example in my lab I have my certs expire every 60 days
1. Two weeks before my cert expires I will get an email each night telling me to get a new cert
2. If I dont or forget then starting 1 week before the expiration I will get automaticly sent to the provisioning page with the query in Daves Post.
That looks like a great idea. And when you say reprovision I assume it sends them to the same onboarding page that was used when they initially onboarded? And that will detect that they already have a cert and just renew the existing cert? I don't have a test 6.3 controller to test this but in the user guide i'm not seeing where to configure the feature we're discussing. thanks for the time
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.