Security

Reply
Highlighted
MVP

Stupid Question Around CPPM & Radius

Hi,


I have a (probably stupid) question regarding CPPM.


Currently we use 802.1x EAP-TLS authentication with a Microsoft NPS solution on premise acting as our radius server.


I want to use our CPPM as a radius server and have set up a test SSID with the CPPM servers added to the authentication sources.  I have added the controller to the network devices on ClearPass and created a new authentication source specifying the radius server (ClearPass IP) in this along with a new service for 802.1x Wireless.


I am getting in the event viewer shared secret incorrect message but I have changed this multiple times to a simple string to make sure this is not the case.  Not sure what I am doing wrong.

 

Thanks

Scott

Highlighted
MVP Expert

Re: Stupid Question Around CPPM

In the controller side you can enable “encrypt disable” and then use the show running-config | begin “authentication-server radius”
And that will show the actual key , once you confirm that make sure you are using the same on both side (Controller and ClearPass)

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP

Re: Stupid Question Around CPPM

Yes just checked and can confirm I am using the key displayed on the controller.  Log on CPPM is returning:

 

Error Code:
208
Error Category:
Authentication failure
Error Message:
No response from home server
 Alerts for this Request 
RADIUSNo response from home server
Highlighted

Re: Stupid Question Around CPPM & Radius

In addition to Victor's excellent suggestion, verify that the IP addresses being used are what you expect. Since the controller has multiple IP interfaces, it's possible that the source IP ClearPass is receiving is not the same IP that you've changed the shared secret on. That's bit me more than once... :)


Charlie Clemmer
Aruba Customer Engineering
Highlighted
MVP

Re: Stupid Question Around CPPM & Radius

Yip I have checked this and I can see the request is coming from the correct IP address of the controller.

 

Question

 

Do you actually need to select the authentication sources in the service profile and put in the clearpass server IP?  

If not what do I select as an auth source if I just want to use EAP-TLS as the authentication method?

 

Thanks

Highlighted
MVP

Re: Stupid Question Around CPPM & Radius

OK so i removed it and just added a new Authentication Method as EAP-TLS and disabled authorization.

 

Just getting this error now which is a step forward:

 

RADIUSEAP-TLS: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session
Highlighted
MVP Expert

Re: Stupid Question Around CPPM & Radius

Do you want to onboard the devices using onboard option or want to use EAP-TLS protocol to authenticate supplicant, in both cases we need client and server certificate installed on supplicant and CPPM server.

 

EAP-TLS uses certificates to authenticate client. You need to add your NPS Microsoft server as authentication source. In onboard process initially it uses EAP-PEAP once client is onboarded ( client certificate pushed to device)it uses EAP-TLS protocol to authenticate.

 

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
MVP

Re: Stupid Question Around CPPM & Radius

We want to remove our Microsoft NPS servers and use only CPPM as our radius server.


This will just authenticate a user with a valid certificate using EAP-TLS and allow connection to the SSID using 802.1x

 

Is this possible?

 

Thanks

Scott

Highlighted
MVP Expert

Re: Stupid Question Around CPPM & Radius

We can do it in authenticaiton source you need to provide details where user is stored. Does user stored in AD or CPPM local repository/Guest User Repository.

 

Check this onboard document for details.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33240

 

 

 

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: