Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Onboard - Dual SSID - Devices not connecting via TLS

This thread has been viewed 2 times

  • 1.  ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 01:19 PM

    Hi All,

     

    I have a dual ssid onboard configuration with the goal of:

     

    1. Log into guest ssid
    2. click on register your device
    3. login with onboard "guest" credentials
    4. run through cert and profile installation process
    5. switch to different secured SSID with 802.1x TLS

    Everything works up until step 5. I get the profiles and certs, it says the device is provisioned, but the device never switches over to the other SSID. Access tracker shows a failure with "Service categorization not found". Isnt the "Onboard Authorization" service supposed to be used for this step? 

     

    N



  • 2.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 01:24 PM
    Do you have a service matching the 802.1x SSID configured in the device ?

    Get Outlook for iOS


  • 3.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    EMPLOYEE
    Posted Feb 22, 2017 01:29 PM
    Onboard authorization is used during the Onboard process. You need a service
    to handle your 802.1X authentications.


  • 4.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    EMPLOYEE
    Posted Feb 22, 2017 01:29 PM
    Onboard authorization is used during the Onboard process. You need a service
    to handle your 802.1X authentications.


  • 5.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 01:24 PM
    Do you have a service matching the 802.1x SSID configured in the device ?

    Get Outlook for iOS


  • 6.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 01:40 PM
    @Victor Fabian wrote:
    Do you have a service matching the 802.1x SSID configured in the device ?

    Get Outlook for iOS

    I did have it listed in the "Onboard Provisioning" service, but noticed that the SSID was incorrectly entered. Thank you for that.

     

    Now when I try to connect I get the error in access tracker: "

    RADIUSEAP-TLS: fatal alert by server - unknown_ca
    eap-tls: Error in establishing TLS session"

    Does the controller also need a certificate?

     

     



  • 7.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 07:56 PM
    What type client is this ?

    Get Outlook for iOS


  • 8.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS
    Best Answer

    Posted Feb 23, 2017 10:35 AM

    It was both IOS and Android. After struggling with documentation for a few hours and redoing the same thing over and over I called TAC.

     

    It turns out that for whatever reason, the certificate being installed on devices did not include the entire chain of certificates. Every new root CA I tried it on had this issue. When I switched to the default CA included out of the box with CP/Onboard it worked just fine.

     

    In the meantime I will just use the built in root CA, I believe TAC said they would file a bug.

     

    N



  • 9.  RE: ClearPass Onboard - Dual SSID - Devices not connecting via TLS

    Posted Feb 22, 2017 07:56 PM
    What type client is this ?

    Get Outlook for iOS