Security

 View Only
Expand all | Collapse all

Windows 11 with Onboard

This thread has been viewed 54 times
  • 1.  Windows 11 with Onboard

    Posted Oct 09, 2023 07:42 AM
      |   view attached

    I have configured a CA within Onboard and have it signing client certificates for an EAP-TLS SSID. I have this working ok for my iOS device, I install the certificate from the provisioning link in Onboard and install the network profile. During authentication I trust the relevant certificates and use the client certificate to authenticate against my EAP-TLS service, with OCSP enabled for revocation. 

    However, Windows 11 device doesn't seem pass authentication and fails within the QuickConnect app, after I have trusted the CA and signing cert. I have attached the associated log file. 

    I can view the certificates within the certificate management directories, including the user cert, so the installation seems to have worked.

    Attachment(s)

    txt
    quick1x.txt   48 KB 1 version


  • 2.  RE: Windows 11 with Onboard

    Posted Oct 10, 2023 04:21 AM
    Edited by Herman Robers Oct 10, 2023 04:26 AM

    If I follow the logs, it looks like everything is okay until the moment that the client tries to connect to the network where it seems the wireless connection is in a specific state where QuickConnect cannot control it.

    Are you onboarding on a different network than the one you try to provision (eduroam-tls)? Is your SSID eduroam-tls (not just eduroam)?

    Is this provisioning working for other devices than IOS?

    If after the onboarding process, you try to manually connect to eduroam-tls, does it work then?

    As this is going quite deep into the internals of Windows, it may be good to work with Aruba TAC.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Windows 11 with Onboard

    Posted Oct 10, 2023 08:14 AM

    Are you onboarding on a different network than the one you try to provision (eduroam-tls)? Is your SSID eduroam-tls (not just eduroam)?

    -Yes, I access the provisioning link (protected by SSO) and download the QC app on another network (Guest) if that's what you mean? eduroam-tls is just a test SSID, with the idea to be implemented on eduroam at a later date. 

    Is this provisioning working for other devices than IOS?

    -No, it doesn't seem to be at the moment. Only iOS seems to be working currently. Windows, Android and MacOS are not working. All failing at a similar stage. 

    If after the onboarding process, you try to manually connect to eduroam-tls, does it work then?

    -No, manual connection does not work. 

    As this is going quite deep into the internals of Windows, it may be good to work with Aruba TAC.

    -I'd like to verify if it's something I'm doing fundamentally wrong in the set up process first. Are there any guides/ documentation? I have watched a few of your videos on YouTube but I think our scenario is slightly different in that we're not doing the AD auth'z before downloading the QC app. Unless this is a necessity for this to work? I would expect it to fail on the iOS too if that were the case. 




  • 4.  RE: Windows 11 with Onboard

    Posted Oct 11, 2023 07:37 AM

    Unsure if it really is fundamentally different as the onboarding seems to succeed... After that the SSID and certificate trust seems to be the most likely points of attention. In general if there are issues with Onboard, but no errors in Access Tracker, it's related to certificates and/or using ip addresses instead of the fqdn. But think you mentioned the only certificate actions you had were the 'adding CA' prompts which are expected. 

    There is a Cloud Identity Provider Onboard Tech Note which covers at least the SSO part. Did you see that one??



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Windows 11 with Onboard

    Posted Oct 11, 2023 10:32 AM

    This is the error I am getting in the AT for the Windows device: 

    I've been through the SSID on the controller and there's nothing obvious which has been missed, bearing in mind the iOS client connected fine. Are there particular parameters on the controller which are likely to impact some devices but not others? 

    Not sure what else to check for related to the certificate trust. The root CA and signing certs are within the 'Trusted root CA' and the client cert is within the 'Personal' directory under the 'manage user certs' on the Windows device. 

    Thank you for the links. 




  • 6.  RE: Windows 11 with Onboard

    Posted Oct 12, 2023 09:29 AM

    Hi Herman, 

    I believe I understand the login flow a bit better now. I just have a separate service for the pre-login as I am using Azure SSO ,whereas, yours is slightly different in your YouTube video.

    The Azure SSO instructions have been followed and this is working for the pre-login step before installing the appropriate application for Onboard. This has its own service in CPPM. 

    I have a separate service for the app download/ install process using an [Aruba Application Authentication] template. At the moment I do not have any auth'z or authentication sources (which are working) - should I have my the Azure AD added as an auth'z and authentication source here? Could that be why I am getting the 'user not found' errors later on? 

    I then have the 802.1X service separate when the clients actually connect to the SSID. Here I should also have the Azure AD as an auth'z and authentication source? 




  • 7.  RE: Windows 11 with Onboard

    Posted Oct 16, 2023 04:05 AM

    The message 'EAP-TLS: Authentication failure, unknown user' suggests that you have Authorization enabled in your EAP-TLS Authentication method.

    If Authorization is enabled, you must have an authentication source under your service that can query for the username that's used. For Azure AD that probably won't work, unless you have the Azure users synced to your on premises AD and can query the username that is sent by the client from there. You can't add Azure AD as Authentication Source, just as Authorization Source; if you add it as Authentication Source at least in older versions your service will silently discard all authentications.

    The way that I use for this is to disable authorization in the Authentication Method, create a copy if you are using the built-in [EAP-TLS] method, and modify the copy. Then during authorization you can use the Azure AD authorization and/or Intune for authorization.

    The previous should apply for the 802.1X authentication, as that is where EAP-TLS is used.

    For some more details about Intune/Azure AD, there is a presentation on this page that shows screenshots on how to set this up (search for Azure AD on the page).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: Windows 11 with Onboard

    Posted Oct 17, 2023 05:38 AM

    Hi Herman, Thank you for the response, that's useful. 

    The message 'EAP-TLS: Authentication failure, unknown user' suggests that you have Authorization enabled in your EAP-TLS Authentication method.

    -I'm using a custom EAP-TLS with OCSP authentication method currently, which has auth'z enabled by default. Thanks, I missed that setting. 

    If Authorization is enabled, you must have an authentication source under your service that can query for the username that's used. For Azure AD that probably won't work, unless you have the Azure users synced to your on premises AD and can query the username that is sent by the client from there. 

    -Are you saying that if the users are properly synced between Azure and the on-prem AD, I should be able to query Azure for auth'z? Or I should query the on-prem AD directly? 

    The way that I use for this is to disable authorization in the Authentication Method, create a copy if you are using the built-in [EAP-TLS] method, and modify the copy. Then during authorization you can use the Azure AD authorization and/or Intune for authorization. The previous should apply for the 802.1X authentication, as that is where EAP-TLS is used.

    -Thanks for the tip. 




  • 9.  RE: Windows 11 with Onboard

    Posted Oct 17, 2023 09:24 AM

    On the sync to local AD, if your Azure AD usernames are available/synced to the on-premises AD, you can indeed create a query to the local AD. You can't add Azure AD as an authentication source (it will stop the authentication all together).

    In general, the combination of looking up the Intune-ID using the certificate CN into Intune should provide the same or better assurance for a valid device/user than verifying the username in AD.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: Windows 11 with Onboard

    Posted Oct 17, 2023 10:50 AM

    Thanks, Herman, 

    You mentioned in an earlier reply about disabling auth'z in the auth method. Which I have done and it works (including with Windows devices now too). What's the fundamental difference between enabling the auth'z in the auth method vs enabling auth'z in the service? As long as there's a valid auth'z source applied, what's the benefit/difference of using one or the other? 




  • 11.  RE: Windows 11 with Onboard

    Posted Oct 18, 2023 03:19 AM

    Ah, never realized that there is a collision in naming and this could cause confusion.

    The authorization (tab) in the service is all about collecting authorization/context information (hence authorization sources), which then can be used in role mapping or enforcement.

    The authorization option in the EAP Method results in a lookup in the corresponding source listed in the authentication tab, and reject the authentication if the username sent does not exist in any of the authentication sources (EAP-TLS) or the used authentication source (password based methods). In addition that source is used for authorization, but most important is in the scenario where authentication happens through EAP-TLS, so the actual authentication happens on ClearPass based on the client certificate, against the trust list, and not on the actual authentication source... if the username does not exist anymore, the certificate may still be valid, but with the authorization enabled in the method the authentication will fail and further processing of the request will stop.

    So the difference with authorization in the method is that the authentication itself will fail and reject/stop the further processing. With authorization sources in the service, those happen only after a successful authentication, and processing will just continue and it's up to yourself what you want to do with the present/missing authorization results. You could of course disable authorization in the method, and as your first enforcement check if the authorization source returned info, then reject if it doesn't.

    As always there are different ways you can do things in ClearPass, with the same or slightly different outcomes.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Windows 11 with Onboard

    Posted Oct 19, 2023 02:20 PM

    You said:

     In addition that source is used for authorization, but most important is in the scenario where authentication happens through EAP-TLS, so the actual authentication happens on ClearPass based on the client certificate, against the trust list, and not on the actual authentication source... 

    According to the EAP-TLS RFC that is preferred, ClearPass, buy contrast, used the outer UserName identity. For Onboard and an AD auth source, it looks up the sAMAccountName for the certificate from Onboard,

    i have modified an AD authorization source to use the Certificate subject instead of sAMAccountName.

    I have an open TAC Case because doing something similar with an Azure authorization source does not produce a valid API call to Azure.

    With CPPM 6.9.13 I have proper EAP-TLS working with my custom AD authorization source and an anonymous outer identity.

    We need to move to 6.11 though and will soon need to use Azure as an authorization source. The TAC Case has moved VERY slowly.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------