Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x Authentication with onboard

This thread has been viewed 19 times

  • 1.  802.1x Authentication with onboard

    Posted Mar 23, 2017 03:00 AM

    I configured onboard on Clearpass and Ipad was installed profile and certificate (Clearpass act as CA). 

     

    I try to test 802.1X authentication. Authentication method is EAP-TLS but login status is reject because there is some alert.

     

    "Certificate Status unknown, Reason (UNKNOWN)
    EAP-TLS: fatal alert by server - certificate_unknown
    eap-tls: Error in establishing TLS session"

     

     

    Is it about CA on clearpass or not?

     



  • 2.  RE: 802.1x Authentication with onboard

    EMPLOYEE
    Posted Mar 23, 2017 04:17 AM

    The message EAP-TLS: fatal alert by server - certificate_unknown

    means that your ClearPass (server) did not trust the client certificate that was sent by your client.

    Please check from here that the issuing CA (your Onboard CA, full chain) is in the ClearPass Trust list and enabled, and possible that the certificate revocation is possible (or disable revocation check for now).

    This is a bit strange, as when you configure your Onboard CA, it should be injected in the trust-list automatically. Also check the time/date/clock on client and ClearPass and other components like the controller/AP.

    Does this give you enough to continue troubleshooting? If not, it may help to get Aruba TAC involved as this does not look right.



  • 3.  RE: 802.1x Authentication with onboard

    Posted Mar 23, 2017 11:56 PM
    Hello Herman robers,

    After I changed common name on CA from name to IP address of clearpass. It works ! user authentication is successful. but I had a little concern. Now we provision device via http. Actually It is not secure so I try to force user using https instead http.

    The result is IOS device cannot install profile. There is alert that It shows "the server certificate is invalid" How I solve it? Is public certificate require?

    Thank you



  • 4.  RE: 802.1x Authentication with onboard

    EMPLOYEE
    Posted Mar 23, 2017 11:58 PM
    You should not be using an IP address in the certificate. The HTTPs certificate needs to be publicly signed.


  • 5.  RE: 802.1x Authentication with onboard

    EMPLOYEE
    Posted Mar 23, 2017 11:58 PM
    You should not be using an IP address in the certificate. The HTTPs certificate needs to be publicly signed.


  • 6.  RE: 802.1x Authentication with onboard

    EMPLOYEE
    Posted Mar 24, 2017 04:34 AM

    Where exactly did you change the Common Name? There CN's in more than 1 place.

     

    OCSP = Online Certificate Status Protocol; which is a method of validating that the certificate is still valid. My suggestion to use the EAP-TLS method (without OCSP checking) was to rule out if your issue was caused by the OCSP checking.

     

    I'd suggest that you seek assistance (partner,  Aruba TAC) in getting this designed right. This isn't something that you should fix by trial-and-error, you need to have it designed right in the first place. In the case that you really want to do it yourself, please read and understand the ClearPass Certificates 101 Technote. Setting up Onboarding and TLS authentication is not difficult, but it must be done right from the beginning.

     

    What you will probably end up with:

    - ClearPass HTTPS certificate public trusted, signed by a public CA; this is needed to get IOS onboarding to work most reliable, and to avoid certificate errors for still unconfigured (pre-onboarding) clients.

    - ClearPass RADIUS certificate can be either from your private CA or from a public CA; check the Technote on when to pick what.

    - Client certificates issued by the ClearPass Onboard internal CA (only need to be trusted by ClearPass); OCSP URL set to http://127.0.0.1/guest/mdps_ocsp.php/4 where 4 is the internal number of your CA.

     

    My sincere apologies if I sound rude, Certificates appear to be challenging in general and if you do it right it works perfectly. If you make a small error in the beginning of the process it will chase you to the end. And as things depend on the details, it is highly unlikely that this forum will give you the most optimal solution. Your ClearPass partner, local Aruba SE, or the Aruba TAC can go with you through the details and find the optimal solution for your deployment.

     

    I started a video series on ClearPass hands-on yesterday that at a certain point will cover certificates as well; however, the certificate coverage may be few weeks out from now as I have limited time to produce those videos. Onboarding will be covered probably within 1-2 months. I expect that you can't wait for that long.



  • 7.  RE: 802.1x Authentication with onboard

    Posted Mar 23, 2017 01:54 PM

    It appears that you have used authentication method - [EAP TLS With OCSP Enabled] but does not have appropriate OCSP URL configured. 

     

    Please try with [EAP TLS] authentication method in the Onboard 802.1x service and let us know an update.



  • 8.  RE: 802.1x Authentication with onboard

    Posted Mar 24, 2017 12:00 AM
    What is different between TLS with OCSP and TLS? I remember that when I configured I have to copy OCSP URL and place it on TLS with OCSP (In configuration > authentication > method)

    Suggest me please