Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM OnBoard for Androids

This thread has been viewed 2 times

  • 1.  CPPM OnBoard for Androids

    Posted Jun 10, 2013 09:15 AM

    Hello AirHeads!

     

    I've a problem OnBoarding Android devices on customer site.

    I've CPPM 6.0.1 running (now upgrading to 6.1.0; maybe it helps?).

     

    Configuration work well for i*device and OSX.

     

    But for Asus Nexus with Android OS is problem:

    - connect to ESSID

    - authenticate with user/pass

    - do OnBoarding with app from Google Play

    BUT

    - when reconnecting then in CPPM Access Tracket there's REJECT with error "RADIUS: EAP-PEAP: fatal alert by client - unknown_ca"

     

    On client's device looks, that CA from CPPM was installed before.

     

    Please give me any idea about it.

     

    Thank you.

     

    Jaroslav



  • 2.  RE: CPPM OnBoard for Androids

    Posted Jun 11, 2013 04:38 AM

    Hello.

     

    I've installed CPPM_6.1.0 yesterday and made configuration from the scratch.

     

    Now Android work fine with OnBoarding, BUT....

    ...I've problem with iOS devices.

     

    OnBoarding done OK, but when reconnecting to ESSID there is an error in CPPM:

    RADIUS: Could not verify OCSP response EAP-TLS: fatal alert by server - certificate_unknown

     

    Have any idea what's wrong ?

     

    Thank you.

     

    Jaroslav



  • 3.  RE: CPPM OnBoard for Androids

    Posted Jun 11, 2013 06:47 AM

    Hello !

     

    I've workaround, but it's not solving the problem.

     

    I changed in CPPM:

    Services - Onboard Provisioning - Aruba 

    - Authentication - Authentication Method:

    REMOVE:  EAP-TLS with OCSP Enables

    ADD: EAP-TLS

     

    It now works for iOS.

    Jaroslav



  • 4.  RE: CPPM OnBoard for Androids

    Posted Jun 12, 2013 05:46 PM

    You probably will want to open a TAC case on this one; TLS is a pain and there are so many little things that could go wrong that it will be almost impossible to troubleshoot over the messageboard.

     

    My guess is that the device has the OCSP URL embedded in the certificate and that URL no longer exists after upgrading. Try removing the profile from the IOS device and make sure that the root and device certificate are gone.

    Also

    If you go to guest and look at the Onboard> Certificate Authority Settings look at the OCSP URL

    That URL has to be resolvable by the device and if it doesn't match what is embedded in the certificate, Then you need to edit the TLS method in CPPM and use the certificate override felid putting in what matches on the guest side. This will override the embedded URL on the certificate and use the one specified.

     

    Also

    IOS has some security things that they don't tell you about; Specifically if CPPM's server certificate is signed by a root that does not contain a common name, then it will fail.

    Right now entrust (godaddy) and Verisign are signing certs that have roots without the CN. You have to specifically request one that does. I think we might have just started ignoring that problem in 6.1.1;

     

    Again, This is only for the cert that signs the CPPM server, not the CA root configured in onboarding/guest.

     

    Don't know if this is much help, but hey, at least someone responded :)

     

     

     

     



  • 5.  RE: CPPM OnBoard for Androids

    Posted Jun 13, 2013 08:42 AM

    Thank you for answer.

    I'll check it.

     

    Jaroslav