I am getting an error while autenticating on windows 7 :
Access tracker says..
EAP-PEAP: fatal alert by client - unknown_ca
This means that i need to have a certificate on Clearpass that is recognised?
Also I need to know how to create a basic policy to say that if the device is an Iphone it only goes to a guest role ( for example http,https) that is already created on aruba controlller side.
Could you help
Make sure you upload the entire certificate trust chain (intermediate and Root CA certificates).
This can be a certificate error on the client. The SSID profile is probably not set to trust the correct certificate.
In the SSID profile on your Windows machine make sure that the Root CA you are using for your ClearPass is checked as the trusted CA.
Also, depending on what cert you are using for your ClearPass (the Apache server), if it is a commercial cert make sure that the entire trust chain is visible under ClearPass > Configuration > Certificates > Server Certificate
Check this post. tarnold gave a really nice screen shot of what your server certificate should look like when using a commercial CA.
Was this device connected using the Onboard process? Or did you manually setup an SSID profile on your Windows?
As for your Apple device, you can accomplish by using your Role Mappings. Then with your Enforcement Profile you can evaluate the TIPS role and if the TIPS role is equal to [Onboard iOS] then place it into your Guest Role and VLAN. I think there is a screen shot of this in one of your previous posts.
i follow the guide for integrate aruba wireless with clearpass (explending by the way)
I assume that the certificate was generated by clearpass himself .
I need to have a commercial one?
alternally could I change clearpass 802.1x to not to ask for certificate?
regarding iphones and android, is there any info on how to implement roles on them ? ( corporte user connects to wlan and because its identified the device as an iphone, goes to a guest role....
regards and thanks guys ;)
You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.
If you do not have a commercial CA the Onboarding of Apple devices will fail.
On Windows, and Android you don't have to worry what certificate you use.
This is the certificate for the ClearPass (Apache server) itself by the way. Not the certificate for the Onboard.
I am not sure if there is a guide that takes it step by step.
Simple explanation would be.
You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).
I believe some of the default template services might give you a good visual representation of what you have to do as well.
Hopefully this helps a little though.
If you are only doing 802.1X PEAP authentication, not onboarding, and want to use the built-in certificate, you would need to disable server certificate validation in the supplicant settings on each client. (None of this is recommended by the way)
You could also export the certificate from the CPPM and install it on all your domain machines.
We had experimented with this initially before we received our commerical CA and it worked well (under Windows).
But as cappalli suggested if you already have a private CA that is trusted use it!
Imported ssl certificates from the AD
Does exist another way for to by pass the server certificate validation in supplicant setting perhaps with another 802.1x auth method
my schem : supplicant -> controller -> cppm (termination)-> AD
Or a script for configure the "windows" supplicant ?
no i haven't machine in the domain because they are not corporate computers.
I find a solution, if i configure the RADIUS termination on my controller (as below) and i configure a MSCHAP method auth in Clearpass service (as below).
And now, the machine have a only one warning message about de securelogin.arubanetworks.com and after they can connect.
You should use MS-CHAPv2.
Using the default controller certificate is not best practice.
I haven't MSCHAP-V2 in the method auth list, i have only EAP-MSCHAPV2 and when I test with it, it's doesn't work, i get a alert message in access tracker :
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.