last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

iOS OnBoarding issue

Jump to Best Answer
  • 1.  iOS OnBoarding issue

    Posted Apr 23, 2013 06:40 AM



    I've been trying to search the boards for resolution but without luck.


    I have two SSIDs, one for onboarding and one for actual 802.1x. Android and Windows devices are onboarding just fine and automatically connecting to the 802.1x SSID. My issue is that iPad 2 (using the same service for 802.1x) downloads, installs, etc. the cert correctly but when connecting to the 802.1x SSID it says "can not join network".  When I check the access tracker it states that the device is trying to log in using <username> and not the <username:seq:mdps_generic> which is listed in the OnBoard Devices repository.


    The certificate is 2048b and generated in OnBoard. ClearPass is 6.0.2 and Aruba WLC 6.1.


    Any ideas how to get the iOS onboard working as smoothly as the other platforms? Any advice greatly appreciated, thanks!

  • 2.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 07:41 AM

    Make sure you have EAP-TLS configured as an authentication type in the service.


    <username> means that the IOS device is using TLS.  <username:seq:mdps_generic> means that you are using EAP-PEAP.

  • 3.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 07:50 AM
      |   view attached



    Thanks for the prompt reply!


    Please see the attached image from access tracker. In the matching service "BYOD 802.1x test" I have methods:

    1. [EAP PEAP]
    2. [EAP FAST]
    3. [EAP TLS]
    4. [EAP TTLS]


    Should the iPad be using the <username:seq:mdps_generic> from Onboard devices repository? In my BYOD 802.1x test service I have only [Onboard Devices Repository] and nothing more as Authentication Sources.

  • 4.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 07:52 AM

    What does it say under the Alert Tab?


  • 5.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 07:58 AM
    Error Code:
    Error Category:
    Authentication failure
    Error Message:
    User not found
     Alerts for this Request  
    RADIUS[Onboard Devices Repository] - localhost: User not found.
    EAP-TLS: Authentication failure, unknown user

  • 6.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:00 AM

    Is there anything in the onboard device repository?


  • 7.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:05 AM
      |   view attached



    Yes, please see the attachment. In OnBoard the device has also a valid certificate:

    Issued to: test-ipad

    Issued by: ClearPass Onboard Local Certificate Authority (Signing)

  • 8.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:07 AM

    I would delete that and re-onboard your ipad.


    That is a PEAP credential, not a TLS credential.


  • 9.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:13 AM
      |   view attached



    Thanks for the advices, I already tried to reprovision the device and it did not help. Same issue also with iPhone 3. 


    See the attachment of OnBoard network settings. On the authentication tab I have "certificate" selected for iOS and OS X 10.7

  • 10.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:17 AM

    I would delete the existing certificates that correspond to the Ipad and reprovision.


  • 11.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 08:29 AM
      |   view attached



    Did not help. We tried to use new iphone 4 and new user, please see the logs what it generates in attachment.


    After successfully installing the root cert and  profile and switching to the 802.1x SSID, it says the same can not join -error. 


    Its using method EAP-TLS but not matching any authentication sources. In Onboard devices we see new entry: "<username>:33:mdps_generic"

  • 12.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 09:21 AM

    You should probably open a TAC case.  It is not obvious to me why this is happening.  TLS Certificates in the Onboard Repository should just have a username and not mdps_generic... unless I am wrong...

  • 13.  RE: iOS OnBoarding issue
    Best Answer

    Posted Apr 23, 2013 02:39 PM

    iOS devices will use EAP-TLS and the CN on the cert will be their username.  Other devices will use EAP-PEAP and their unique credentials will be username:somenumber:mdps_generic.  I have noticed that in ClearPass 6.1.0, iOS devices will show up in the OnBoard Devices identity store with username:somenumber:mdps_generic as their device name - this was not the case in earlier versions of ClearPass.  


    In your 802.1X service, you should be using the EAP-TLS with OCSP auth method rather than the EAP-TLS method.  In the EAP-TLS with OCSP auth method, make sure the OCSP responder URL is correct and matches that of the CA you are using for Onboarding (you may have to create a copy and modify it).  Also, try unchecking "Authorization Required" in the EAP-TLS with OCSP auth method.


  • 14.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 03:04 PM

    cjoseph: thanks for your comments, I will create the TAC case if there wont be a solution through this board :)


    xdrewpjx: Thanks for your suggestion and information regarding the iOS login process. I modified the service as you suggested, now using "copy of EAP-TLS with OCSP enabled" (without authorization). Method order is:

    1. Copy_of_[EAP TLS With OCSP Enabled]
    2. [EAP PEAP]
    3. [EAP FAST]
    4. [EAP TTLS]


    I added the OCSP to the provisioning settings, the CA is the OnBoard itself so the default link should be fine. I can not test it today as I need someone with an iOS device to test it. Ill ask someone to test tomorrow.


    Could you please clarify, should the [Onboard Devices Repository] be the only authentication source in my 802.1x service?



  • 15.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 03:16 PM
      |   view attached

    Yes, if you uncheck "authorization required" in the EAP-TLS auth method, you can use only the OnBoard Devices Repository as an Authentication Source.  Attached is a screenshot of my lab setup. 

  • 16.  RE: iOS OnBoarding issue

    Posted Apr 23, 2013 03:38 PM
      |   view attached

    Ah thanks, it seems you have lots more going on in there than I do. In my lab I merely have the basic service and nothing fancy. The enforcement policy just sends out the RADIUS accept and role "BYOD" which is "allowall" on the WLC. You can check my service out from the attachment.

  • 17.  RE: iOS OnBoarding issue

    Posted Apr 24, 2013 02:58 AM

    xdrewpjx: very big thanks for your advice, it was absolutely the solution. 

  • 18.  RE: iOS OnBoarding issue

    Posted Sep 27, 2013 03:02 PM

    I've run nto the same issue of "[Onboard Devices Repository] - localhost: User not found."  My authentication source included the onboard respository and EAP-TLS method had authorization disabled.


    I opened a TAC case and their solution was to remove the enforcement policy condition I created that included onboard device respository as the authentication source.  Their explanation was that for EAP-TLS authentication, an authentication source is not needed since the certificate is validated and revocation status is checked.


    I verified that revoking my certfiicate resulted in an authentication failure.  For grins, I disabled the my iPad in the onboard respository, but the iPad still authenticated.  This makes sense now given the onboard repositiory isn't being checked during authentication.

  • 19.  RE: iOS OnBoarding issue

    Posted May 20, 2016 04:15 PM

    Having basically the same issue, now CPPM is asking for password to access network.  This happens before IOS device starts Onboarding.

  • 20.  RE: iOS OnBoarding issue

    Posted May 20, 2016 10:28 PM



    The last post in this thread was from 2013.  Do you want to state your issue in detail so everyone knows what you are talking about?