Security

 View Only
last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM EAP-TLS authentication to non-domain joined device issues.

This thread has been viewed 29 times
  • 1.  CPPM EAP-TLS authentication to non-domain joined device issues.

    Posted 13 days ago
    Hi Experts,

    I in a midst of configuring CPPM to perform EAP-TLS Certificate based authentication to non-domain joined wired sensors. I have Cisco Switch configured to send 802.1x queries to CPPM IP Address.

    Root CA and "Web Server" certificate template obtained from Windows ADCS is installed in the CPPM. Service is configured with "EAP-TLS", "EAP-FAST", "EAP-TTLS" and "EAP-PEZP". Authentication source is defined as "[Local User Repository] [Local SQL  DB]".

    When the authentication request is initiated, CPPM rejects the request with an error "user not found"

    It would be grateful of you if you could guide me in a proper direction. Thanks in advance.

    Service Summary:


    Error Summary:




    Error Logs:

    Time Message
    2022-11-18 16:04:57,510 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 54:193:00-XX-XX-XX-X2-AF
    2022-11-18 16:04:57,512 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-57 h=127 r=R00000003-01-6377f379] INFO Core.ServiceReqHandler - Service classification result = XXXXXXX Xensors
    2022-11-18 16:04:57,513 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - Service Categorization time = 2 ms
    2022-11-18 16:04:57,513 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "XXXXXXX Xensors"
    2022-11-18 16:04:57,513 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_sql: searching for user XXXXXX-Xv.internal/Computers/00XXXXXXX2AF in Local:localhost
    2022-11-18 16:04:57,514 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2022-11-18 16:04:57,514 [Th 8 Req 6 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 54:88:00-XX-XX-XX-X2-AF:APAAywBRAOgGAAAA23ajljVwfv3WKydKN2yojA==
    2022-11-18 16:04:57,581 [Th 9 Req 7 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXX Xensors" - 55:434:00-XX-XX-XX-X2-AF
    2022-11-18 16:04:57,582 [Th 9 Req 7 SessId R00000003-01-6377f379] INFO RadiusServer.Radius - rlm_sql: searching for user XXXXXX-Xv.internal/Computers/00XXXXXXX2AF in Local:localhost
    2022-11-18 16:04:57,583 [Th 9 Req 7 SessId R00000003-01-6377f379] ERROR RadiusServer.Radius - rlm_eap_tls: User not found in any authentication source, rejecting


  • 2.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    EMPLOYEE
    Posted 13 days ago
    perhaps you can show the screenshot of your "EAP-TLS_sensor" auth method

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    Posted 11 days ago
    Hi,

    Thanks for your swift response and apologies for delayed in mine.

    I should have shared that details in the problem description itself:




  • 4.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    EMPLOYEE
    Posted 11 days ago
    Hi Wifi_guy,

    You have Authorization Required ticked. Do you have an authorization source that will match the certificate? It sounds like you will not. Try unticking that box and authenticating the client again.


  • 5.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    EMPLOYEE
    Posted 11 days ago
    yes as ProbeRequest said, "Authorization Required" compares the username in the certificate against authz sources that are in the service that it is matching with.

    So if you uncheck that, the auth should work

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 6.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    Posted 10 days ago
    Hi Experts,

    At the outset, thank you for your valuable suggestions. It actually resolved the Service mapping issue. I can now see it evaluates based on the configured policy but now I am faced with this error. Any expert suggestions will be truly appreciated.

    Sensor Side:

    TLS: Peer certificate not trusted
    TLS: Certificate uses insecure algorithm
    eth1: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=7 depth=0 subject='' err='certificate uses insecure algori'
    eth1: CTRL-EVENT-EAP-FAILURE EAP authentication failed

    CPPM Side:

    2022-11-21 14:06:55,241 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 85:139:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,243 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-83 h=127 r=R00000000-01-637bcc4f] INFO Core.ServiceReqHandler - Service classification result = XXXXXXXXXXX sensors
    2022-11-21 14:06:55,244 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - Service Categorization time = 3 ms
    2022-11-21 14:06:55,244 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "XXXXXXXXXXX sensors"
    2022-11-21 14:06:55,245 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,249 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_eap_tls: Initiate
    2022-11-21 14:06:55,249 [Th 12 Req 0 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 85:88:0X-XX-XX-XX-XX-XF:AH8ArwApALQAAAAA6eSlFfpA4AeV3ESbp6gbkw==
    2022-11-21 14:06:55,314 [Th 13 Req 1 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXXXXXX sensors" - 86:407:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,314 [Th 13 Req 1 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,317 [Th 13 Req 1 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - TLS_accept:error in SSLv3/TLS write server done
    2022-11-21 14:06:55,317 [Th 13 Req 1 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 86:1124:0X-XX-XX-XX-XX-XF:ALoAgAC2APkBAAAAyIZwBGb2fwPtHff4L/oCyA==
    2022-11-21 14:06:55,343 [Th 14 Req 2 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXXXXXX sensors" - 87:169:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,343 [Th 14 Req 2 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,344 [Th 14 Req 2 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 87:1120:0X-XX-XX-XX-XX-XF:AN4APwAvAKkCAAAABYOF+Sil2qDDey10/saLwA==
    2022-11-21 14:06:55,371 [Th 15 Req 3 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXXXXXX sensors" - 88:169:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,371 [Th 15 Req 3 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,372 [Th 15 Req 3 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 88:1120:0X-XX-XX-XX-XX-XF:AHUAcQCiAFsDAAAAJMA3V0Yrg7NQPZWWuWXLTg==
    2022-11-21 14:06:55,399 [Th 16 Req 4 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXXXXXX sensors" - 89:169:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,399 [Th 16 Req 4 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,399 [Th 16 Req 4 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 89:366:0X-XX-XX-XX-XX-XF:ANcAFwCUANoEAAAAcaVXGzegl/TemcrwZ+hURQ==
    2022-11-21 14:06:55,429 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "XXXXXXXXXXX sensors" - 90:176:0X-XX-XX-XX-XX-XF
    2022-11-21 14:06:55,429 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_sql: searching for user 0XXXXXXXXXXF$ in Local:localhost
    2022-11-21 14:06:55,430 [Th 17 Req 5 SessId R00000000-01-637bcc4f] ERROR RadiusServer.Radius - TLS Alert read:fatal:insufficient security
    2022-11-21 14:06:55,430 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - TLS_accept:error in error
    2022-11-21 14:06:55,430 [Th 17 Req 5 SessId R00000000-01-637bcc4f] ERROR RadiusServer.Radius - rlm_eap_tls: TLS failed during operation
    2022-11-21 14:06:55,430 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2022-11-21 14:06:55,431 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 0001c02942af
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3001 entity id = 29
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for NAD instance=3001
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for NAD instanceId=3001|entityId=29
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3001|entity=Device
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 3002 entity id = 72
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - Building the TagDefMapTable for Endpoint instance=3002
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO Common.TagDefinitionCacheTable - Built 0 tag(s) for instanceId=3002|entityId=72|entityName=Endpoint
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=3002|entity=Endpoint
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=psauto-1666644020-84 h=135 r=R00000000-01-637bcc4f] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskAuthSourceRestriction **
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskRoleMapping **
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskAuthSourceRestriction **
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 h=817 c=R00000000-01-637bcc4f] INFO Core.PETaskRoleMapping - Roles:
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskRoleMapping **
    2022-11-21 14:06:55,432 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskPolicyResult **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskPolicyResult **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskEnforcement **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 h=820 c=R00000000-01-637bcc4f] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskEnforcement **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskRadiusEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskRadiusCoAEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskAppEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskAgentEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskPostAuthEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskGenericEnfProfileBuilder **
    2022-11-21 14:06:55,433 [RequestHandler-1-0x7fc7489e4700 h=827 c=R00000000-01-637bcc4f] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 h=822 c=R00000000-01-637bcc4f] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 h=822 c=R00000000-01-637bcc4f] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 h=822 c=R00000000-01-637bcc4f] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskGenericEnfProfileBuilder **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskAgentEnfProfileBuilder **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskAppEnfProfileBuilder **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskCliEnforcement **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 h=828 c=R00000000-01-637bcc4f] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskRadiusEnfProfileBuilder **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskCliEnforcement **
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=826 c=R00000000-01-637bcc4f] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=826 c=R00000000-01-637bcc4f] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2022-11-21 14:06:55,434 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskPostAuthEnfProfileBuilder **
    2022-11-21 14:06:55,435 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=823 c=R00000000-01-637bcc4f] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2022-11-21 14:06:55,435 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskRadiusCoAEnfProfileBuilder **
    2022-11-21 14:06:55,435 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskAuthStatusInfo **
    2022-11-21 14:06:55,435 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskOutputPolicyRes **
    2022-11-21 14:06:55,435 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Starting PETaskSessionLog **
    2022-11-21 14:06:55,437 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - Policy Evaluation time = 7 ms
    2022-11-21 14:06:55,437 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2022-11-21 14:06:55,437 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2022-11-21 14:06:55,437 [Th 17 Req 5 SessId R00000000-01-637bcc4f] INFO RadiusServer.Radius - Request processing time = 197 ms
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 h=830 c=R00000000-01-637bcc4f] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 h=830 c=R00000000-01-637bcc4f] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 h=829 c=R00000000-01-637bcc4f] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskSessionLog **
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskOutputPolicyRes **
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - ** Completed PETaskAuthStatusInfo **
    2022-11-21 14:06:55,437 [RequestHandler-1-0x7fc7489e4700 r=R00000000-01-637bcc4f h=815 c=R00000000-01-637bcc4f] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***


  • 7.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    EMPLOYEE
    Posted 10 days ago
    what type of digest algorithm the wired sensor expecting i in server certificate?


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 8.  RE: CPPM EAP-TLS authentication to non-domain joined device issues.

    EMPLOYEE
    Posted 9 days ago
    Could it be that your EAP server certificate on ClearPass uses MD5 or SHA1? Please check the certificate details, and most specific on:
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    77:00:00:00:46:29:0f:39:51:b0:69:ac:6c:00:00:00:00:00:46
    Signature Algorithm: sha512WithRSAEncryption
    Issuer: DC = com, DC = arubalab, DC = nl, CN = ArubalabNL-CA
    Validity
    Not Before: Feb 13 18:05:59 2017 GMT
    Not After : Feb 11 18:05:59 2027 GMT
    Subject: C = NL, O = Arubalab NL, CN = radius.nl.arubalab.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public-Key: (2048 bit)
    Modulus:

    From the message, it seems that the sensor rejects the ClearPass EAP certificate based on obsolete cryptographic algorithms. It may be good to work with the support for the sensor or Aruba support to run live/interactive troubleshooting because this is about details and hard to resolve in a forum.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------