Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Onboard Single SSID

This thread has been viewed 12 times

  • 1.  ClearPass Onboard Single SSID

    Posted Dec 16, 2013 06:15 PM

     

    I used the solution exchange (beta) tool for  Wireless Onboard w/ Single SSID.

     

    I started out simple by using a local account on ClearPass to perform an initial test to see if my config was working.  It worked, generating a certificate and all expected database entries. 

     

    Issue is that I revoked and deleted the certificates from both ClearPass and the client.  I'm intending to repeat the entire onboarding process again with the client, but this time using an Active Directory source.

    I can;t seem to get the controller to pass the auth request to ClearPass now.  The controller seems to be looking for a certificate before starting the authentication routine with ClearPass.

    Nothing is seen in the ClearPass access tracker.  The client message in Win7 shows a message that a certificate is required, and access is denied.

     

    Is there some cache or setting I need to change in the controller to allow for the same machine to basically start-over in the single SSID Onboard process?

     

    I'm using ClearPass 6.2 and AOS 6.3

     

     

    Regards,

    Colin

     

     

     

     



  • 2.  RE: ClearPass Onboard Single SSID

    EMPLOYEE
    Posted Dec 16, 2013 06:39 PM

    The client is still in the user table most likely.  From ssh on the controller do a show user and then a "aaa user delete <ip address of client>" and retest



  • 3.  RE: ClearPass Onboard Single SSID

    Posted Dec 17, 2013 11:43 AM

    Thanks Seth for the quick response.

     

    I checked the user table and my client was not listed by ip

     

    I did find it in the "show aaa device-id-cache" , which shows it by MAC address

    However, I can't seem to figure out how to clear that table.  Deleting the user by MAC does not work.

     

    I could still change my process and go to a provisioning SSID, instead of the single SSID.  If there are bugs in the AOS 6.3 related to single SSID BYOD with ClearPass, then I may need to switch to that immediately.

     

    Regards,

    Colin  

     



  • 4.  RE: ClearPass Onboard Single SSID

    EMPLOYEE
    Posted Dec 17, 2013 12:41 PM
    I've been running 6.3 with no issues on a single SSID.

    It sounds like the profile is still being held in the client device. Make sure you delete the SSID profile in the windows device. NOT just the cert.


  • 5.  RE: ClearPass Onboard Single SSID

    Posted Dec 19, 2013 10:16 AM

    Deleting the SSID profile worked.  Thanks a lot for the info.

     

     

    Follow up questions:

    Whenever a certificate is revoked, deleted or expired, it seems like the user will have to manually delete the SSID profile.  Is this a minor nuisance that must be accepted when using a single SSID?   (is there any workaround to reduce calls to IT, and make it more user friendly?)    

     

    Thanks,

    Colin 

     



  • 6.  RE: ClearPass Onboard Single SSID

    EMPLOYEE
    Posted Dec 19, 2013 04:17 PM

    You can setup a role to force a user to reonboard based on expireation date of the cert. For example I have mine based on a 2 week time period.

     

    expirecert1.png

     

    Dave did a great post on how to set it up.

     

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/m-p/95827#M6710

     

    There are some features in 6.3 that will aslo help with this.



  • 7.  RE: ClearPass Onboard Single SSID

    Posted Jan 08, 2014 12:47 PM

    Hey tarnold.  This is good information.  So what action are you taking once a client is found that fits into this category?  Also can you elaboration on your statement about the 6.3 features that help out with this?  thx



  • 8.  RE: ClearPass Onboard Single SSID

    EMPLOYEE
    Posted Jan 08, 2014 10:43 PM

    You can do one of two things

     

    1. You can use the new feature in 6.3 that will send an email to the user that their cert is about to expire

     

    2. You can use the same above plus the new feature so it will notify the user at a certian time and if they dont change the cert it will push them to the portal.

     

    (per the .1x standard we are not alowed to allow a device to connect with an expired cert so this is a way to help prevent the user from just getting kicked off the network and not knowing why.)

     

     

     

    expirecertnotify.png

     

    So for example in my lab I have my certs expire every 60 days

     

    1. Two weeks before my cert expires I will get an email each night telling me to get a new cert

     

    2. If I dont or forget then starting 1 week before the expiration I will get automaticly sent to the provisioning page with the query in    Daves Post.



  • 9.  RE: ClearPass Onboard Single SSID

    Posted Jan 09, 2014 02:26 PM

    That looks like a great idea.  And when you say reprovision I assume it sends them to the same onboarding page that was used when they initially onboarded?  And that will detect that they already have a cert and just renew the existing cert?  I don't have a test 6.3 controller to test this but in the user guide i'm not seeing where to configure the feature we're discussing.  thanks for the time



  • 10.  RE: ClearPass Onboard Single SSID

    EMPLOYEE
    Posted Jan 10, 2014 12:36 AM
    Question
    1. Yes
    2. Yes

    What I am showing 6.3 CPPM beta you will not see the email part of it until the release