Wireless Access

I am currently working with a customer on a fresh install of Clearpass (version 6.12.4.305024) with Instant (version 8.12.0.3_91078) managed through central on a combination of 615 and 635 access points.

This customer does not have active directory so, we are leveraging the local users repository in clearpass.  Since I have never used the local user repository as a sole authentication source in the past, we decided to set up a quick test SSID to make sure it was working right.  Created the SSID and a basic service in Clearpass and had the customer try to connect using their iPhone.  Customer gets an unable to connect message and, in the Access Tracker, we see a Timeout with the "client did not complete the EAP transaction" message, which screams to me that there was a cert issue.  Not a huge surprise since we are currently only using the self signed cert, I would expect a cert error but, the customer states he never gets the cert warning popup with the opportunity to trust the cert.  So, thinking maybe a device issue, we tested on a few other devices.  Macbook, same result.  Chromebook (even with don't vaildate cert selected), same result.

I replicated the customer's deployment as closely as I could in my lab environment with the same version of Clearpass and Instant along with an AP 635.  The only difference between my test and his test is that, in my environment, Clearpass is a VM while, in his environment, Clearpass is an Appliance...but, in my mind, that shouldn't matter.  The services are set up the same on both and the only difference between their SSID and mine are the names (he used 'test' and I used 'LU-Test').  In my environment, with my iPhone, after I put the username/password in, I get the certificate warning immediately.  When I hit Trust, it connects right up with no issue.  

I have tried to figure out a way to replicate his issue however, I can't seem to do so.  Has anyone else seen anything like this?  I have seen devices over the years refuse to play nice with PKI but have never had several devices with the same behavior like this.  

Thanks in advance!

That's not a common combination, ClearPass, PEAP and local user database; but it should work. Few things:

Don't use PEAP. The MSCHAPv2 (username/password) used in it is broken security, even more if you don't have the certificates in place and enforced. The 'good thing' with a local database is that these password are not tied to AD and breaking the user's password for the WiFi doesn't mean you can sign in with it to the AD (unless users used the same password).

Don't use EAP with a self-signed certificate; there are clients that require the certificate to be signed by a CA before they accept the certificate. If such clients see a self-signed certificate they may just 'not connect' instead of showing the certificate to the user with the option to ignore security warnings and continue. You may try to create a CA in ClearPass Onboard (doesn't require a license) and create the RADIUS EAP Server cert from there (server certs don't require an Onboard license either).

As this does not provide an explanation for the point that it works in your test environment, but not in the customer's, you may have small MTU on the path between the AP and ClearPass, which can cause fragmentation of the RADIUS traffic and break 802.1X. You could check if the EAP traffic isn't dropped somewhere in the path between client and ClearPass.

If you have Central, did you consider the use of Cloud Authentication? It's part of Central in the foundation licenses and doesn't require the installation of a ClearPass.

I am currently working with a customer on a fresh install of Clearpass (version 6.12.4.305024) with Instant (version 8.12.0.3_91078) managed through central on a combination of 615 and 635 access points.

This customer does not have active directory so, we are leveraging the local users repository in clearpass.  Since I have never used the local user repository as a sole authentication source in the past, we decided to set up a quick test SSID to make sure it was working right.  Created the SSID and a basic service in Clearpass and had the customer try to connect using their iPhone.  Customer gets an unable to connect message and, in the Access Tracker, we see a Timeout with the "client did not complete the EAP transaction" message, which screams to me that there was a cert issue.  Not a huge surprise since we are currently only using the self signed cert, I would expect a cert error but, the customer states he never gets the cert warning popup with the opportunity to trust the cert.  So, thinking maybe a device issue, we tested on a few other devices.  Macbook, same result.  Chromebook (even with don't vaildate cert selected), same result.

I replicated the customer's deployment as closely as I could in my lab environment with the same version of Clearpass and Instant along with an AP 635.  The only difference between my test and his test is that, in my environment, Clearpass is a VM while, in his environment, Clearpass is an Appliance...but, in my mind, that shouldn't matter.  The services are set up the same on both and the only difference between their SSID and mine are the names (he used 'test' and I used 'LU-Test').  In my environment, with my iPhone, after I put the username/password in, I get the certificate warning immediately.  When I hit Trust, it connects right up with no issue.  

I have tried to figure out a way to replicate his issue however, I can't seem to do so.  Has anyone else seen anything like this?  I have seen devices over the years refuse to play nice with PKI but have never had several devices with the same behavior like this.  

Thanks in advance!