Security

 View Only
last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Authetication fail with clearpass- iOS

This thread has been viewed 15 times
  • 1.  Authetication fail with clearpass- iOS

    Posted Jul 23, 2024 09:58 AM

    When iOS device trying to authenticate with clearpass via wifi ,get below error message. What could be the reason. ?

    2024-07-23 15:10:19,755 [HttpModule-ThreadPool-16-0x7f6ffd0d0700 r=R00049aea-06-669fabbb h=142] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN
    2024-07-23 15:10:19,755 [HttpModule-ThreadPool-16-0x7f6ffd0d0700 r=R00049aea-06-669fabbb h=142] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN}
    2024-07-23 15:10:19,755 2024-07-23 15:10:19,758 [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN
    2024-07-23 15:10:19,758 [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN}
    2024-07-23 15:10:19,758 [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] ERROR Http.HttpAutzSession - Failed to get value for attributes=Intune Device Name, Intune ID, Intune User ID]
    2024-07-23 15:10:19,769 [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745290 c=R00049aea-06-669fabbb] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2024-07-23 15:10:19,769 [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745290 c=R00049aea-06-669fabbb] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2024-07-23 15:10:19,769 [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745287 c=R00049aea-06-669fabbb] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=


  • 2.  RE: Authetication fail with clearpass- iOS

    Posted Jul 23, 2024 11:38 AM

    Looks like a misconfiguration on the device or on your service/policies. Reason can be close to anything with this limited amount of information. Device does not authenticate with a client certificate (EAP-TLS/TEAP), where the service expects that to check the device in Intune, but that in itself is no reason to not authenticate.

    May be good to work with your Aruba partner or Aruba TAC to check design, configuration, logs, etc.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Authetication fail with clearpass- iOS

    Posted Jul 25, 2024 09:18 AM

    Thanks for the reply. I managed to correct some erros with appeared before. Now i get the below. PKCS certificate CN={{DeviceId}} and intune sorce has the Intune ID on attributes. The i get the certificate unknown error. CA root certificate already in Clearpass trusted list. I would really appreciate your answer. Thanks. 

    2024-07-25 15:09:01,764 [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN
    2024-07-25 15:09:01,764 [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN}
    2024-07-25 15:09:01,764 [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] ERROR Http.HttpAutzSession - Failed to get value for attributes=Intune ID]
    2024-07-25 15:09:01,755 [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - TLS Alert read:fatal:certificate unknown
    2024-07-25 15:09:01,755 [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - TLS_accept:failed in error
    2024-07-25 15:09:01,756 [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
    2024-07-25 15:09:01,756 [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed



  • 4.  RE: Authetication fail with clearpass- iOS

    Posted Jul 30, 2024 04:48 AM

    Is this just for IOS devices? Do other devices with the same certificates authenticate properly?

    It looks like the authentication is not completing, which can have different reasons, where missing settings for the mutual trust (ClearPass needs to trust the client certificate, client needs to trust the server certificate) are most likely to be part of the issue.

    This type of issue is much easier to troubleshoot with access to your ClearPass, config, access tracker. I'd recommend to work with your Aruba partner and/or TAC to schedule an interactive session and see what is happening.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------