Security

Reply
Frequent Contributor II

Clearpass Onboarded device should not connect to other 802.1x ssid

 

Hi ,

 

I am configuring onboard ssid  and normal 802.1x ssid . Requirement is like once the device is onboarded if it connects to normal 802.1x ssid it should get restricted access vlan. I am trying to search proper attribute which can defferentiate onboarded user . There is no rule like if Authorization: onaboard repository device mac/user exists...I can see only owner option for such rule

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

If you are using TLS you could create a policy that only TLS connection type could connect vs PEAP 

Tag it under the Role Mapping:

 

2014-03-04 08_11_01-ClearPass Policy Manager - Aruba Networks.png

 

And then apply the policy

 

2014-03-04 08_13_01-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Clearpass Onboarded device should not connect 802.1 ssid

Yep I was thinkig on the same lines

Tried with TLS but was not able to do the authentication properly . Initial requirement was to do onbaording and domain machine 802.1x on same ssid. but I was not able to do it.

instead of troubleshooting I am trying to go with two ssids and limit access to onboarded machines on other 802.1x ssid

Any other method apart from TLS ??

Guru Elite

Re: Clearpass Onboarded device should not connect 802.1 ssid

What was the error you were seeing when authentication failed?


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

Can you please share how do you have your service configured ?

 

Is it failing during the pre/post provisioning process ? or after its been provisioned ?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: Clearpass Onboarded device should not connect 802.1 ssid

 

I dont remember the exact error but it included unknown_ca

 

Setup is : CPPM is intermediate CA , Root CA is customer CA 

While doing TLS there was some certificate coming into picture which was issued by unknown CA : Communication Server

 

I am not confident on TLS configuration 

Guru Elite

Re: Clearpass Onboarded device should not connect 802.1 ssid

Unknown CA means the client doesn't have the Root CA configured/trusted.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Clearpass Onboarded device should not connect 802.1 ssid

Hi Tim,

 

It will be great help if you can share TLS - CPPM config and end client config .

I shall share exact error details tomorrow once I get  access to CPPM

 

-harshad

Guru Elite

Re: Clearpass Onboarded device should not connect 802.1 ssid

Are you going through the full onboard process with the device? The root CA should be installed as part of that process.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor II

Re: Clearpass Onboarded device should not connect 802.1 ssid

Yes that device has root CA cert

 

In windows client settings I am selectiing outer method : smart card or cert..

and under validate server cert : the CA cert is present and checked..

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: