Security

Hi,

I have a (probably stupid) question regarding CPPM.

Currently we use 802.1x EAP-TLS authentication with a Microsoft NPS solution on premise acting as our radius server.

I want to use our CPPM as a radius server and have set up a test SSID with the CPPM servers added to the authentication sources.  I have added the controller to the network devices on ClearPass and created a new authentication source specifying the radius server (ClearPass IP) in this along with a new service for 802.1x Wireless.

I am getting in the event viewer shared secret incorrect message but I have changed this multiple times to a simple string to make sure this is not the case.  Not sure what I am doing wrong.

 

Thanks

Scott

In the controller side you can enable “encrypt disable” and then use the show running-config | begin “authentication-server radius”
And that will show the actual key , once you confirm that make sure you are using the same on both side (Controller and ClearPass)

Sent from Mail for Windows 10

Yes just checked and can confirm I am using the key displayed on the controller.  Log on CPPM is returning:

 

Error Code:	208
Error Category:	Authentication failure
Error Message:	No response from home server
Alerts for this Request  RADIUS No response from home server

In addition to Victor's excellent suggestion, verify that the IP addresses being used are what you expect. Since the controller has multiple IP interfaces, it's possible that the source IP ClearPass is receiving is not the same IP that you've changed the shared secret on. That's bit me more than once... :)

Yip I have checked this and I can see the request is coming from the correct IP address of the controller.

 

Question

 

Do you actually need to select the authentication sources in the service profile and put in the clearpass server IP?  

If not what do I select as an auth source if I just want to use EAP-TLS as the authentication method?

 

Thanks

OK so i removed it and just added a new Authentication Method as EAP-TLS and disabled authorization.

 

Just getting this error now which is a step forward:

 

RADIUS

EAP-TLS: fatal alert by client - unknown_ca TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca eap-tls: Error in establishing TLS session

Do you want to onboard the devices using onboard option or want to use EAP-TLS protocol to authenticate supplicant, in both cases we need client and server certificate installed on supplicant and CPPM server.

 

EAP-TLS uses certificates to authenticate client. You need to add your NPS Microsoft server as authentication source. In onboard process initially it uses EAP-PEAP once client is onboarded ( client certificate pushed to device)it uses EAP-TLS protocol to authenticate.

 

 

We want to remove our Microsoft NPS servers and use only CPPM as our radius server.

This will just authenticate a user with a valid certificate using EAP-TLS and allow connection to the SSID using 802.1x

 

Is this possible?

 

Thanks

Scott

We can do it in authenticaiton source you need to provide details where user is stored. Does user stored in AD or CPPM local repository/Guest User Repository.

 

Check this onboard document for details.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33240