Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

QuickConnect/onboard issue

This thread has been viewed 3 times

  • 1.  QuickConnect/onboard issue

    Posted Aug 27, 2014 05:00 PM

    I am trying to get Onboard working (actually had it working but then it stopped). I created Onboard a a ca, went through a tech note on how to create a single onboard ssid here, it was working but then now when devices need to reprovision the quickconnect app makes all the way through to the "checking connectivity" point and then times out and states there was a problem connecting to the network. In the ap logs I see entries stating radius reject for station <username><mac> from server Clearpass. and  Dropping the radius packet for station <mac> doing 802.1x, and client <mac> is failed to authenticate. Like I stated it was working with Android and windows clients I went to starting getting ios clients which I was having issues gettting going so I tried the working clients and found that they could not re-provision them selfs.....

    Does anybody have any suggetions or know of any log files that I migth be able to get a better idea of what is going on? I have 2 other ssids for guest / staff traffic that do not use the Onboard piece. 

    clearpass version - 6.3.4 - cp-va-500

    ap Instants - ap-105

     

    thanks for any ideas,

    Jon



  • 2.  RE: QuickConnect/onboard issue

    EMPLOYEE
    Posted Aug 27, 2014 05:05 PM
    What is access tracker showing?


  • 3.  RE: QuickConnect/onboard issue

    Posted Aug 27, 2014 05:07 PM

    It initially shows it going into a post-provision role, and then after the quick connect client times out it seems to show it go back into the pre-auth role



  • 4.  RE: QuickConnect/onboard issue

    Posted Aug 27, 2014 05:10 PM
    Are you using EAP-TLS with OCSP ?


  • 5.  RE: QuickConnect/onboard issue

    Posted Aug 28, 2014 10:21 AM

    Yes we have it setup with EAP-TLS with OCSP and EAP PEAP without Fast Reconnect - the defaults when I configured the Onboard service.



  • 6.  RE: QuickConnect/onboard issue

    Posted Aug 28, 2014 10:28 AM

    Did you added the OCSP link from Onboard CA

     

    2014-08-28 10_27_16-ClearPass Policy Manager - Aruba Networks.png

     



  • 7.  RE: QuickConnect/onboard issue

    EMPLOYEE
    Posted Aug 28, 2014 10:37 AM

    Please post a screenshot of the access tracker request where you are seeing the issue.



  • 8.  RE: QuickConnect/onboard issue

    Posted Aug 28, 2014 10:38 AM

    first off thanks for the help.

    yes It is there. I am seeing the quickconnect client step through the process and after qc toggles the adapter, it comes up, moves to checking connectivity and I noticed that the ssid is  disabled with in the client....



  • 9.  RE: QuickConnect/onboard issue

    EMPLOYEE
    Posted Aug 28, 2014 10:40 AM

    At that point, do you see a request in access tracker? What is the EAP method? EAP-TLS or EAP-PEAP?



  • 10.  RE: QuickConnect/onboard issue

    Posted Aug 28, 2014 11:31 AM

    okay so I recreated a whole new ssid, service, root ca and have android and windows working. Ipad gives goes through the process of applying the profile but when I try to reconnect it fails. in access tracker is has an alert 

    Capture.PNG



  • 11.  RE: QuickConnect/onboard issue

    EMPLOYEE
    Posted Aug 27, 2014 05:11 PM
    So the latest request is sending back a user role? No alert tab or anything?