Original Message:
Sent: Oct 18, 2023 03:19 AM
From: Herman Robers
Subject: Windows 11 with Onboard
Ah, never realized that there is a collision in naming and this could cause confusion.
The authorization (tab) in the service is all about collecting authorization/context information (hence authorization sources), which then can be used in role mapping or enforcement.
The authorization option in the EAP Method results in a lookup in the corresponding source listed in the authentication tab, and reject the authentication if the username sent does not exist in any of the authentication sources (EAP-TLS) or the used authentication source (password based methods). In addition that source is used for authorization, but most important is in the scenario where authentication happens through EAP-TLS, so the actual authentication happens on ClearPass based on the client certificate, against the trust list, and not on the actual authentication source... if the username does not exist anymore, the certificate may still be valid, but with the authorization enabled in the method the authentication will fail and further processing of the request will stop.
So the difference with authorization in the method is that the authentication itself will fail and reject/stop the further processing. With authorization sources in the service, those happen only after a successful authentication, and processing will just continue and it's up to yourself what you want to do with the present/missing authorization results. You could of course disable authorization in the method, and as your first enforcement check if the authorization source returned info, then reject if it doesn't.
As always there are different ways you can do things in ClearPass, with the same or slightly different outcomes.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 17, 2023 10:49 AM
From: AdamNewsonCU
Subject: Windows 11 with Onboard
Thanks, Herman,
You mentioned in an earlier reply about disabling auth'z in the auth method. Which I have done and it works (including with Windows devices now too). What's the fundamental difference between enabling the auth'z in the auth method vs enabling auth'z in the service? As long as there's a valid auth'z source applied, what's the benefit/difference of using one or the other?
Original Message:
Sent: Oct 17, 2023 09:24 AM
From: Herman Robers
Subject: Windows 11 with Onboard
On the sync to local AD, if your Azure AD usernames are available/synced to the on-premises AD, you can indeed create a query to the local AD. You can't add Azure AD as an authentication source (it will stop the authentication all together).
In general, the combination of looking up the Intune-ID using the certificate CN into Intune should provide the same or better assurance for a valid device/user than verifying the username in AD.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 17, 2023 05:38 AM
From: AdamNewsonCU
Subject: Windows 11 with Onboard
Hi Herman, Thank you for the response, that's useful.
The message 'EAP-TLS: Authentication failure, unknown user' suggests that you have Authorization enabled in your EAP-TLS Authentication method.
-I'm using a custom EAP-TLS with OCSP authentication method currently, which has auth'z enabled by default. Thanks, I missed that setting.
If Authorization is enabled, you must have an authentication source under your service that can query for the username that's used. For Azure AD that probably won't work, unless you have the Azure users synced to your on premises AD and can query the username that is sent by the client from there.
-Are you saying that if the users are properly synced between Azure and the on-prem AD, I should be able to query Azure for auth'z? Or I should query the on-prem AD directly?
The way that I use for this is to disable authorization in the Authentication Method, create a copy if you are using the built-in [EAP-TLS] method, and modify the copy. Then during authorization you can use the Azure AD authorization and/or Intune for authorization. The previous should apply for the 802.1X authentication, as that is where EAP-TLS is used.
-Thanks for the tip.
Original Message:
Sent: Oct 16, 2023 04:04 AM
From: Herman Robers
Subject: Windows 11 with Onboard
The message 'EAP-TLS: Authentication failure, unknown user' suggests that you have Authorization enabled in your EAP-TLS Authentication method.
If Authorization is enabled, you must have an authentication source under your service that can query for the username that's used. For Azure AD that probably won't work, unless you have the Azure users synced to your on premises AD and can query the username that is sent by the client from there. You can't add Azure AD as Authentication Source, just as Authorization Source; if you add it as Authentication Source at least in older versions your service will silently discard all authentications.
The way that I use for this is to disable authorization in the Authentication Method, create a copy if you are using the built-in [EAP-TLS] method, and modify the copy. Then during authorization you can use the Azure AD authorization and/or Intune for authorization.
The previous should apply for the 802.1X authentication, as that is where EAP-TLS is used.
For some more details about Intune/Azure AD, there is a presentation on this page that shows screenshots on how to set this up (search for Azure AD on the page).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 12, 2023 09:28 AM
From: AdamNewsonCU
Subject: Windows 11 with Onboard
Hi Herman,
I believe I understand the login flow a bit better now. I just have a separate service for the pre-login as I am using Azure SSO ,whereas, yours is slightly different in your YouTube video.
The Azure SSO instructions have been followed and this is working for the pre-login step before installing the appropriate application for Onboard. This has its own service in CPPM.
I have a separate service for the app download/ install process using an [Aruba Application Authentication] template. At the moment I do not have any auth'z or authentication sources (which are working) - should I have my the Azure AD added as an auth'z and authentication source here? Could that be why I am getting the 'user not found' errors later on?
I then have the 802.1X service separate when the clients actually connect to the SSID. Here I should also have the Azure AD as an auth'z and authentication source?
Original Message:
Sent: Oct 11, 2023 07:37 AM
From: Herman Robers
Subject: Windows 11 with Onboard
Unsure if it really is fundamentally different as the onboarding seems to succeed... After that the SSID and certificate trust seems to be the most likely points of attention. In general if there are issues with Onboard, but no errors in Access Tracker, it's related to certificates and/or using ip addresses instead of the fqdn. But think you mentioned the only certificate actions you had were the 'adding CA' prompts which are expected.
There is a Cloud Identity Provider Onboard Tech Note which covers at least the SSO part. Did you see that one??
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 10, 2023 08:14 AM
From: AdamNewsonCU
Subject: Windows 11 with Onboard
Are you onboarding on a different network than the one you try to provision (eduroam-tls)? Is your SSID eduroam-tls (not just eduroam)?
-Yes, I access the provisioning link (protected by SSO) and download the QC app on another network (Guest) if that's what you mean? eduroam-tls is just a test SSID, with the idea to be implemented on eduroam at a later date.
Is this provisioning working for other devices than IOS?
-No, it doesn't seem to be at the moment. Only iOS seems to be working currently. Windows, Android and MacOS are not working. All failing at a similar stage.
If after the onboarding process, you try to manually connect to eduroam-tls, does it work then?
-No, manual connection does not work.
As this is going quite deep into the internals of Windows, it may be good to work with Aruba TAC.
-I'd like to verify if it's something I'm doing fundamentally wrong in the set up process first. Are there any guides/ documentation? I have watched a few of your videos on YouTube but I think our scenario is slightly different in that we're not doing the AD auth'z before downloading the QC app. Unless this is a necessity for this to work? I would expect it to fail on the iOS too if that were the case.
Original Message:
Sent: Oct 10, 2023 04:21 AM
From: Herman Robers
Subject: Windows 11 with Onboard
If I follow the logs, it looks like everything is okay until the moment that the client tries to connect to the network where it seems the wireless connection is in a specific state where QuickConnect cannot control it.
Are you onboarding on a different network than the one you try to provision (eduroam-tls)? Is your SSID eduroam-tls (not just eduroam)?
Is this provisioning working for other devices than IOS?
If after the onboarding process, you try to manually connect to eduroam-tls, does it work then?
As this is going quite deep into the internals of Windows, it may be good to work with Aruba TAC.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 09, 2023 07:42 AM
From: AdamNewsonCU
Subject: Windows 11 with Onboard
I have configured a CA within Onboard and have it signing client certificates for an EAP-TLS SSID. I have this working ok for my iOS device, I install the certificate from the provisioning link in Onboard and install the network profile. During authentication I trust the relevant certificates and use the client certificate to authenticate against my EAP-TLS service, with OCSP enabled for revocation.
However, Windows 11 device doesn't seem pass authentication and fails within the QuickConnect app, after I have trusted the CA and signing cert. I have attached the associated log file.
I can view the certificates within the certificate management directories, including the user cert, so the installation seems to have worked.