Security

Clearpass VA (ESXi) with Onboarding version 6.6.5.93747

so trying to setup onboarding using a single SSID.. 

 

I have used the wizard to create the necessary services and policies. 

I have then created the necessary networks, CA Server and onboarding profiles. 

 

I have modified the pre-provisioning Enforcement profile to allow me to authenticate to AD for the PEAP portion of the process. 

 

I have then tested this with a windows 10 machine, the peap works fine and i can get to the onboarding page and download the software. I can run the software and get a Certificate installed (under the user's Certificate store) and the computer gets configured to then connect using TLS.

 

But the TLS Authentication fails with the error message

Error Code: 201
Error Category: Authentication failure
Error Message: User not found
 Alerts for this Request  
RADIUS
[Onboard Devices Repository] - localhost: User not found.
[Guest User Repository] - localhost: User not found.
EAP-TLS: Authentication failure, unknown user

 

I have looked under onboard and the user is registered and the device is registered as well.. 

 

What am i missing...

Make sure your identity store is added as an authentication source.

 

Also, dual SSID onboarding is recommended in most cases.

I´ve got this exact issue, did you manage to solve it ?

Anyone got any tips ?

My computer I´m testing with doesn´t get connected. Access tracker shows errorcod 201 "User not found". 

But I managed to onboard a iphone. Problem is auth. source showes Active Directory instead of Onboard database.

 

Service has auth sources: onboard database, active directory, and a mac-list (in that order)

 

Very strange... 

ok, so I managed to get my computer to work also by adding user name strip :/ 

But auth source in access tracker showes AD as source...

But if I revoke the cert i get denied. So is this how it should be by design ? I thought onboard database would show as source. 

 

How does your access tracker look for onboarded devices ?

 

Am I missing something ?

 

The only authentication source that should be defined would be your identity store (Active Directory).

Ok, so devices are actually not authenticated against the onboard database. The certificate is the mechanism controlling the access for them ?

 

So should I need to strip /:user to actually make this work ? Can´t remember having this in there before and it has worked before.

All the certificate does it replace the user password. The user is still authorized against the identity store.

Great thanks, now I understand the proccess better.

Hi

 

So what should be correct Authentication Sources for 802.1x wired access for computers added with OnBoard? Having only Onboard Devices Repository ends with: " Alerts for this Request
RADIUS [Onboard Devices Repository] - localhost: User not found.
EAP-TLS: Authentication failure, unknown user"

I would like to accomplished the screnerio where I deliver only machine certificate and the computer authorizes before the user login.

 

 

No auth source.

The auth source is set to Onboard device repository.

Should I add another one?

No, you shouldn's have any auth sources if you're not using user credentials.