Security

 View Only
last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Onboard - EAP-TLS questions

This thread has been viewed 14 times
  • 1.  Onboard - EAP-TLS questions

    Posted Jun 14, 2022 08:16 AM
    We're in the process of configuring Onboard for EAP-TLS per device client certificate distribution for 802.1X eduroam authentication - transitioning from using PEAP-MSCHAPv2. 

    Currently hitting an issue with installing the generated configuration profile for MacOS/iOS - see screenshots for errors. We have created a Root CA within Onboard and referenced the CA where necessary within the provisioning settings. The profile is then signed using a code signing certificate managed within our organisation, uploaded to the Apple provisioning settings. 

    I have uploaded the Root CA to the trusted certs within 'network settings > trust', defined the OCSP URL within the cert authority settings relating to the code signing cert for the profile. 

    I'm still getting the same install error. Can anyone provide any help/ guidance? Or know of any useful documentation available?


  • 2.  RE: Onboard - EAP-TLS questions

    EMPLOYEE
    Posted 18 days ago
    Looks to me like the client cannot reach ClearPass to get the client certificate at the time this error shows. Did you prevent the CNA (Captive Network Assistant)? It's known that onboard does not work from the automatic captive portal pop-up (CNA).

    Another possibility is that the client changed to cellular if WiFi is not providing enough service (IOS devices can switch to cellular if they think that is better for the end-user). Easy to test by disabling cellular/move to flight mode and try again.

    It may be best to work with support, if you haven't yet. Based on just this screenshot it is hard to tell what is preventing this client from onboarding.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------