Cloud Managed Networks

 View Only
Expand all | Collapse all

Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

This thread has been viewed 52 times
  • 1.  Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 16, 2024 11:29 AM

    Hello all, I'm relatively new to Aruba Central. We just installed our 67 535 APs 6 months ago. We are running an SSID using Cloud Auth to MS Entra ID. However, every time users connect to wifi they are being asked to physically click the network in settings and then click connect. They have the Aruba onboard app and profile installed in the app. I have opened a couple of tickets with Aruba TAC and they have no idea what is going on. To make matters more weird. We are seeing two of the same SSID even though there is only one in Aruba Central. When users click their wifi settings they can see Staff and Staff 2. We have never made a Staff 2 which confused Aruba TAC as well. Depending on the device type this shows up or does not. Its kinda random and inconsistent. But either way users still have to physically connect to Cloud Auth network by clicking a button.

    Has anyone else see this happen?



  • 2.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 16, 2024 07:22 PM

    were the onboard app and profile installed successfully? are these APs running AOS10 firmware?

    may be there is a device level configuration for the staff2 WLAN.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 10:59 AM

    We are seeing a similar pattern.

    Aruba TAC found an issue in the WLAN where names weren't consistent (I cannot remember which ones).

    This needed a new onboarding link, + removing all references in manage known wifi on the clients - their theory was the certificate had different names and thus was flagged by windows.

    However we are still seeing the issue, particularly if staff have multiple entra-joined windows 11 devices as wireless profiles are shared between the devices.

    AOS10.6, CloudAuth using EntraID.




  • 4.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 01:12 PM

    "were the onboard app and profile installed successfully? are these APs running AOS10 firmware?

    may be there is a device level configuration for the staff2 WLAN."

    Yes the profile and app where installed successfully on devices and the APs are running AOS10 Firmware. There is no device level configuration built into our Policies for Microsoft Intune.

    Our staff only have one device but Aruba TAC has yet to offer a solution. This is more than likely a certificate issue because device does not Autoconnect to the SSID. The user is forced to click the network and click connect. Upon connecting the device shows that it is connected to the [SSID name] with a 2 at the end of it. Really weird.

    Does anyone know how to fix this?




  • 5.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 01:15 PM

    See my response. There is not a device level configuration.




  • 6.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 01, 2024 11:01 AM



  • 7.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 10:59 AM

    Yes, we are seeing the same thing!

    TAC found an issue within the WLAN SSIDs, causing a certificate error which meant the client sometimes rejected the cert, needing the click on connect.

    We needed to re-issue the onboarding link and reset as well as removing the old wifi config.

    However, we are still seeing this behaviour after this fix.

    APs running AOS10.6.




  • 8.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 01:14 PM

    This is exactly what is going on with our devices as well.

    Can we get an Aruba Engineer to respond to this ticket thread???




  • 9.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Sep 30, 2024 08:55 PM
    Edited by Greg_W Oct 01, 2024 12:33 PM
      |   view attached

    Here is what I am seeing in screenshots.

    Occurs to  entra joined devices, but had other issues on hybrid devices.


    Attachment(s)



  • 10.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 03, 2024 11:03 AM
      |   view attached

    This is exactly what we are experiencing as well and our machine are Entra ID joined / Intune Managed but this also happens on personal Windows machines and Macs managed by Mosyle MDM

    Does it sometimes make you choose the certificate? See video attached




  • 11.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 14, 2024 05:43 AM

    Have you configured Intune and Mosyle to provision the devices with a client certificate and SSID configuration?

    The message displayed means that the client does not trust the (RADIUS/RadSec) server certificate, or that there is no configuration at all on the client. Central Cloud Authentication Onboarding should take care of that, but you should see as well 'Hotspot 2.0' and the (friendly) name of your network/organization on the SSID in Windows.

    In most cases, either Intune/MDM is used to provision the SSID and client certificates for managed devices, then use ClearPass or another RADIUS service to authenticate the devices. Or for unmanaged devices, you use Central Cloud Authentication for the provisioning as well as for the authentication.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 14, 2024 06:01 AM

    Thanks Herman,

    I haven't,  I just followed the various guides online and with support from the TAC. FYI we aren't running any radius functionality as we are migrating to a serverless environment. Our CloudAuth is working well directly to our EntraID environment.

    When we run the onboarding app, a private root certificate (dated from when we established CloudAuth is added to the trusted root certificate authorities inside the user certificate store, as well as a personal certificate for Aruba, issued by this trusted root.

    Can you point me toward any doco for issuing the client certs from intune (assume SCEP?) that ties into CloudAuth so we can just push out the WLAN to our end users?

    Thanks for engaging.

    Garry




  • 13.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 14, 2024 07:36 AM

    No we have not configured Intune and Mosyle to provision the devices with client certificate and SSID configuration. Please send documentation if you know if any on how to do this as Microsoft and Mosyle do not know how.

    As stated in previous posts the devices are using Aruba Onboard not Clearpass to authenticate to the Aruba Cloud Auth network. Around 50% of the devices are BYOD so we do not managed them from Intune or Mosyle so pushing any configuration would be impossible. We can create a profile in Intune (provide documentation if you know of any). My understanding is Aruba Onboard is used for BYOD environments, correct me if I'm wrong.

    How do we resolve this message, "The message displayed means that the client does not trust the (RADIUS/RadSec) server certificate, or that there is no configuration at all on the client." Using the Aruba Onboard product? This authentication error is happening on All device types. Android, MAC, Windows, etc. the only exception to the rule is iOS.




  • 14.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 16, 2024 05:29 AM

    If you onboarded the client through Central, indeed for BYOD, you should not see any authentication prompts.

    In case you do see warnings, please open a TAC case as there is nothing you can configure or change to my knowledge.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 15.  RE: Aruba Cloud Auth SSID asking users to connect even after authentication process is completed

    Posted Oct 16, 2024 05:35 AM
    Thanks Herman,

    I had a case with TAC a while back, and opened a new one this morning to revisit it. 

    It will be a certificate issue on our clients - but what confuses me is that the onboarding app should ensure that gets sorted. 

    I have found a few older references to similar issues. 

    The funniest observation is that the issue only occurs at first login; then it is happy for the day. Even a reboot does not cause the same symptom. 

    Regards

    Garry

    ********************
    This email and any files transmitted with it are confidential and intended solely
    for the use of the individual or entity to whom they are addressed.
    If you have received this email in error, please notify us immediately by return e-mai l
    and delete all copies. That error does not constitute waiver of any confidentiality,
    confidentiality, privilege or copyright in respect of information in the e-mail or attachments.
    ********************
    Scanned by Office 365 Email Gateway at Food Standards ANZ.