Is this just for IOS devices? Do other devices with the same certificates authenticate properly?
It looks like the authentication is not completing, which can have different reasons, where missing settings for the mutual trust (ClearPass needs to trust the client certificate, client needs to trust the server certificate) are most likely to be part of the issue.
This type of issue is much easier to troubleshoot with access to your ClearPass, config, access tracker. I'd recommend to work with your Aruba partner and/or TAC to schedule an interactive session and see what is happening.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 25, 2024 09:18 AM
From: manurangas
Subject: Authetication fail with clearpass- iOS
Thanks for the reply. I managed to correct some erros with appeared before. Now i get the below. PKCS certificate CN={{DeviceId}} and intune sorce has the Intune ID on attributes. The i get the certificate unknown error. CA root certificate already in Clearpass trusted list. I would really appreciate your answer. Thanks.
2024-07-25 15:09:01,764 | [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN |
2024-07-25 15:09:01,764 | [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN} |
2024-07-25 15:09:01,764 | [HttpModule-ThreadPool-31-0x7f6f8f1f8700 r=R0004c7f2-06-66a24e6d h=157] ERROR Http.HttpAutzSession - Failed to get value for attributes=Intune ID] |
2024-07-25 15:09:01,755 | [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - TLS Alert read:fatal:certificate unknown |
2024-07-25 15:09:01,755 | [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - TLS_accept:failed in error |
2024-07-25 15:09:01,756 | [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown |
2024-07-25 15:09:01,756 | [Th 49 Req 2634386 SessId R0004c7f2-06-66a24e6d] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed |
Original Message:
Sent: Jul 23, 2024 11:38 AM
From: Herman Robers
Subject: Authetication fail with clearpass- iOS
Looks like a misconfiguration on the device or on your service/policies. Reason can be close to anything with this limited amount of information. Device does not authenticate with a client certificate (EAP-TLS/TEAP), where the service expects that to check the device in Intune, but that in itself is no reason to not authenticate.
May be good to work with your Aruba partner or Aruba TAC to check design, configuration, logs, etc.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 23, 2024 09:33 AM
From: manurangas
Subject: Authetication fail with clearpass- iOS
When iOS device trying to authenticate with clearpass via wifi ,get below error message. What could be the reason. ?
2024-07-23 15:10:19,755 | [HttpModule-ThreadPool-16-0x7f6ffd0d0700 r=R00049aea-06-669fabbb h=142] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN | |
2024-07-23 15:10:19,755 | [HttpModule-ThreadPool-16-0x7f6ffd0d0700 r=R00049aea-06-669fabbb h=142] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN} | |
2024-07-23 15:10:19,755 | 2024-07-23 15:10:19,758 | [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Certificate:Subject-CN}, error=No values for param=Certificate:Subject-CN |
| 2024-07-23 15:10:19,758 | [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] ERROR Http.HttpAutzSession - queryAutzAttributes: Failed to construct path from %{Certificate:Subject-CN} |
| 2024-07-23 15:10:19,758 | [HttpModule-ThreadPool-14-0x7f6ffd4d2700 r=R00049aea-06-669fabbb h=140] ERROR Http.HttpAutzSession - Failed to get value for attributes=Intune Device Name, Intune ID, Intune User ID] |
2024-07-23 15:10:19,769 | [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745290 c=R00049aea-06-669fabbb] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg= |
2024-07-23 15:10:19,769 | [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745290 c=R00049aea-06-669fabbb] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device |
2024-07-23 15:10:19,769 | [RequestHandler-1-0x7f6f7e3f4700 r=R00049aea-06-669fabbb h=5745287 c=R00049aea-06-669fabbb] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg= |