Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Issues with Onboarding TLS devices

Jump to Best Answer
  • 1.  Issues with Onboarding TLS devices

    Posted Dec 01, 2013 11:23 PM

    HI All,

     

    I'm have a CPPM 6.2 installation currently working nicely just doing 802.1x with PEAP-MSCHAPv2 authentication against AD.

     

    The server has a public certificate installed for terminating the Radius (Entrust).

     

    I'd like to try and get a small group of devices onboarded and i think i've got the setup fairly close to right, i am using a self signed internal CA and have setup the provisioning profiles to connect using TLS.

     

    The issue i'm having is when i try and onboard a Windows device, it successfully onboards however when it switches over to the TLS authentication afterwards, it fails to logon with the following error in the access tracker. Anybody got any ideas where to start here?

     

    My assumption is that the TLS authentication should be checked against the onboard repository and not the AD server?

     

    RADIUS

    [Onboard Devices Repository] - localhost: User not found. EAP-TLS:  fatal alert by client -  access_denied



  • 2.  RE: Issues with Onboarding TLS devices

    Posted Dec 01, 2013 11:25 PM

    further to that, if it turn of certificate validation on the client it appears to work ok.

     

    I am using the auto trust settings in the wireless profile on the Onboard configuration.



  • 3.  RE: Issues with Onboarding TLS devices

    Posted Dec 01, 2013 11:29 PM

     

    RADIUS

    [Onboard Devices Repository] - localhost: User not found. EAP-TLS:  fatal alert by client -  access_denied


    The section that says fatal alert by client means the client dosent trust the server. Make sure you combine the Root/Intermediate/server cert.

     

    If you need to add them in the trusted server list in the network settings.

     

     



  • 4.  RE: Issues with Onboarding TLS devices
    Best Answer

    Posted Dec 01, 2013 11:43 PM

    Here is an example of my cert.

     

    screenshot_04 Dec. 01 22.22.gif

     

    And If you want to push out the root separate then you can add it to the network settings. In my example I have GoDaddy UCC cert that is signed by starfield and Im pushing the root cert to the client. 

     

    screenshot_05 Dec. 01 22.30.gif



  • 5.  RE: Issues with Onboarding TLS devices

    Posted Dec 01, 2013 11:50 PM

    thanks Troy, you've saved me again!

     

    I added the server name and root CA's manually into the trust settings and it works a treat!

     

    Any idea why the auto trust doesn't do this for you?

     

    Scott



  • 6.  RE: Issues with Onboarding TLS devices

    Posted Dec 01, 2013 11:53 PM

    It comes down to how you import the cert. If you Import just the cert, or if the chain isn't put into the cert correctly then you will run into that issue.

     

    When you use the auto select it pulls the cert from the CPPM cert.