Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Roaming SSID not working when my users go to another institution.

This thread has been viewed 18 times
  • 1.  Roaming SSID not working when my users go to another institution.

    Posted Nov 04, 2022 07:00 AM

    Hi,

     

    I have an issue with an SSID that works like eduroam, just the name of the ssid is different.

     

    My users are going to a different institution connecting on the ssid and failing to authenticate. Their request makes it back to my CPPM servers and shows a timeout.

     

    I can see the request hit the central radius server and the error message displayed  is: Reply-Message = Outer Tunnel Rejected! [OUTPUT]: Outer Tunnel Rejected! [Failure-Message]: NONE. The central server is a free radius server.

     

    When I check or local CPPM server it just shows timeout. There has-been no changes on the firewall and this was working beforehand not sure what is causing the issue.

     

    Any pointers will help greatly?

     

    Thanks,



  • 2.  RE: Roaming SSID not working when my users go to another institution.

    EMPLOYEE
    Posted Nov 04, 2022 10:36 AM
    If it uses a different CPPM and has a different certificate, the user must manually trust the  new server certificate.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Roaming SSID not working when my users go to another institution.

    EMPLOYEE
    Posted Nov 09, 2022 03:25 AM
    It looks like your central RADIUS server tries to handle the EAP session, which is suggested by a message around the Outer Tunnel. It should however just proxy the request, in which case the central RADIUS server does not see anything on inner/outer tunnels. If the EAP is handled by that central server, the trusted certificate should be there, as well you probably will see a MSCHAPv2 request coming in, instead of an EAP request. If you ClearPass is not configured to handle those, it's not so strange that you see a timeout.

    If RADIUS is proxied over the internet, it could also be that the RADIUS packets are fragmented and dropped somewhere on the route. Deploying Radsec would resolve that issue.

    Please be advised that PEAP-MSCHAPv2 should not be used anymore as it contains broken encryption and you should consider credentials being leaked out if you deploy on devices that you don't 100% control and harden to prevent authentication against a rogue network.

    I would as mentioned start by capturing the requests you see coming in through the central server and compare those to the ones coming in direct from your own infrastructure. And you could see if there is retries with large packets which may indicate the fragmentation/MTU issue.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------