Security

Hi,

 

I'm trying to deploy CP with onboard using it as an intermediate CA with a Microsoft  (MS) infrastucture. The domain is a .local and understand that its not possible to sign the DNS names using a trusted 3rd party like verisign.

 

However - I figure we should be able to sign the push and distribution certs using the internal CA as devices will have to manually add the internal root CA and intermediate CA (clearpass) before trying to enroll the device and complete the onboarding process.

I've encountered the following challenges:

 

a) It seems though this doesn't look to be possible?

b) Generating the push cert - doesn't look to be a standard CSR - however I did get it signed by apple - even though clearpass throws a warning.

c) Generation of the distribution cert (CSR) works and I have signed it on the MS Root CA using the web server template. When importing the certifcate though I'm getting the following error message :

 

- error 20 at 0 depth lookup:unable to get local issuer certificate

 

Has anyone deployed Clearpass in the same fashion? Is it even possible to achieve using onboard/onguard using Clearpass as an intermediate CA to provision devices and deploy certificates to so they can then authenicate to our Dot1x'd BYOD SSID?

 

I've read through the deployment guide and I've hit a wall so any help would be greatly appreciated.

 

 

 

 

What version of CPPM are you using? 

 

In 6.3 you should be able to since we split the Radius and HTTPS cert. 

6.3

 

I don't see a way round the push and distribution certs though?

Did you look through Dannys Cert Doc.

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=13375

Yeah I found that while waiting on replies - it mensions another pdf to read ‘ADCS with ClearPass OnBoard’.

 

In the process of getting that

The issue with IOS devices is that the web server Cert needs be issued by a trusted CA.

 

So in your case you need to have the web server cert signed by a trusted CA.

 

The CA in the CP guest you need to do a CSR request and then import it in CP guest. Then walk through the provisioning settings where it will use the cert that was signed by the AD.

 

Hi

 

I'm unable to find that tech document on the support site - are you able to see if it has been published?

 

RE: "There is another TechNote that specifically covers the configuration and  integration of ADCS called  ‘ADCS  with ClearPass OnBoard’."

 

 

Thanks

Nicholas

Nicholas,

 

We've had a delay in posting the ADCS TchNote which explains why you can't see the doc..!!

 

In relation to your problem.....we can add CPPM to ADCS as an intermeditary....there are multiple steps that need to happen to ensure this works.....hopefully this list will get is going initially in the right direction.......

 

 

You need to ensure CPPM is added to the AD Domain, then modify the filter query in the attributes tab for the filter Authentication. Make it.....

 

 (&(|(sAMAccountName=%{Authentication:Username})(userPrincipalName=%{Authentication:Username}))(objectClass=user))

 

 

 

 

 

 

Next you need to create auth method that will query the OCSP reponder on ADCS in stead of the CPPM OCSP reposnder. So copy the EAP TLS with OCSP and amend the URL to point to http://ADCS_SERVER/ocsp (typically)......

 

 

Make sure any service you have created utilise the new auth-methods.

 

You need to ensure that you have your cert trust list consigured correctly, ensure you have downloaded the root cert + chain from ADCS  and this has been added to the trust list on CPPM.

 

This also needs to be added to the OnBoard cert store under Guest.

 

Then ensure that under Onboard provisioning you have set CPPM to use ADCS as the certificate 'signer'....

 

 

 

 

 

 

 

 

Hi,

 

I believe I've setup all the CA stuff correctly, but I'm having trouble with the device enrollment and getting a certificate on an ipad. I can login to clearpass on the device provisioning page, download a profile (to which the IPAD trusts) but when installing the profile I'm getting an error 

 

"a connection to the server could not be established".

 

Does anyone have any thoughts? Is there a troubleshooting guide I can read to work through this problem? 

 

To make life simple the ACL on the role is an allow all and I can connect direct to the https://clearpass.domain.com/guest/mdps_profile.php URL manually... So what is it trying to connect to ?

 

The only thing that I can see that might be causing a problem - when trying to install the following error is seen on the clearpass access tracker ..  RADIUS request in Rejected  details :

 

 

Error Code:	204
Error Category:	Authentication failure
Error Message:	Failed to classify request to service
Alerts for this Request   RADIUS Service Categorization failed

Did you use a self signed certificate?

I'd you did I recommend strongly that you get a public signed cert. things will be much easier.


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com<DANNY></DANNY>

Hi,

 

For the https certificate I used a public certificate with external DNS pointing to the internal IP address of the clearpass server (so the cert could be signed using the FQDN.

 

The RADIUS certificate is a signed by itself using the internal CA infrastucture, when downloading the root certificate chain, it includes the Microsoft Root CA and the Clearpass Intemediate CA.

 

 In the package that is downloaded from clearpass it is signed by the internal CA (as expected) and the Encrypted Profile Service is using the public DNS name in the URL for the mdps_profile link+challenge key (so there shouldnt be a SSL problem).

 

 

We started seeing the same error in a previsouly working system today. Apparently the Apple Certificate is expired. Waiting on Aruba to release a patch with the new certificate. I'm told one may be available as early as tomorrow (Friday 4/18/2014)

 

After seeing "A connection to the server could not be established." when attempting to install the Profile, click cancel and we see "Cannot determine trusted identity of certificate ... O=Apple Inc./OU=iPhone"

We are getting onboarding errors now as well. 

The patch was released last week. Look under software updates.

After installing these two patches the issues with iOS and MacOS devices were resolved in our deployment. They were both available under ClearPass Administration / Agents and Software Upgrades / Softare Updates / Firmware & Patch Updates

 

Patch	ClearPass OpenSSL fix - Security Advisory CVE-2014-0160*	-	1.7360	2014/04/08	2014/04/18 13:39:14	Installed	-
Patch	ClearPassOnboard iOS enrollment fix	-	0.0237	2014/04/17	2014/04/18 13:46:30	Installed	-

Thanks.  I'm assuming it's not showing up for me because I don't have cumulative patch 6 installed?

Possibly, I had to install this patch first myself. Then the other two were available.

 

Patch

ClearPass Cumulative Patch 1 for 6.3.0*

-

670.5182

2014/03/18

2014/04/18 13:29:57

Installed

-

Thanks.  Does anyone know if there is a mailing list for when new patches like this come out?

You can configure ClearPass to email you when a new update is downloaded.

yeah the only issue with that was that because I wasn't on the latest cumulative update the Apple patch never showed up.  I'm assuming when the "fix" for the Apple issues says it ignores the "not valid before" and "not valid after" fields that it's only doing that on the apple certificate and not the certificate the device gets after enrollment.