2 weeks ago
I'm a bit puzzled on this one, and I don't even have a good hunch on this one.
I've got an internal-CA-signed server certificate. It includes the server certificate, the intermediate and the root chain on both clearpass VMs (in a cluster).
While most people want to get rid of the "windows cannot verify the server's identity." I'm at the point where I want to see it. Packet capture on clearpass on a non-domain windows laptop has data coming from the aruba controller (no alert on the machine, just spins.) If there's packets I see the events in the access tracker.
My Mac OS X eventually popped up the radius certificate in which I accepted. It authenticates with peap mschapv2 just fine.
However, on smartphones, and a domain-joined laptop (with a computer and user certificate installed) there is nothing that shows up in CPPM. No access tracker events, no RADIUS frames. I assume it is because the iphone can't validate the certificate, but why don't I get a prompt? Is there a way to understand what is failing here?
TAC brushed it off saying it was likely the controller. Controller is a 7205 on 22.214.171.124 code.
Solved! Go to Solution.
2 weeks ago
The certificate is presented in the first few authentication frames. That means that in order to get the client pop up, or even the client to decide not to continue authentication, there must have been some radius communication.
Clients that don't trust the certificate typically show up either as REJECT or TIMEOUT in the access tracker and you should see RADIUS traffic.
Do you see the client to attempt authentication if you run a 'show auth-tracebuf' on the controller? Most times if you run a Wireshark or other packet capture tool from the client, you should see EAPOL frames in the capture that indicate there is authentication attempted. Do you see those on the problem clients?
Good that you installed client certs, as MSCHAPv2 authentication should be avoided for security reasons unless you have full control and management over the clients that authenticate that way.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Re: No RADIUS requests from controller. No validate certificate prompt.
2 weeks ago
Thanks for the responses everyone.
I just wanted to follow up that I believe I hit a bug with the mobility master in which the controllers ended up with radius servers as a 127.0.0.1 loopback interface. Once that was manually overriden on each controller the show auth-trace-buf started to populate and we began seeing radius packets on the clearpass server.
I'm not sure why one device seemed to work over the other. Maybe that was a flaw in our testing.