Security

Reply
Highlighted
Frequent Contributor I

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

This is expected behavior for devices that have been onboarded with EAP-PEAP credentials (Windows and Android by default).  You need to add the Onboarded Devices repository as an authentication source to the 802.1X service you are using.  

 

Highlighted

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

  • I know that - i did it.....but my client would like to use is own radius (like the sitatuion today) for the 802.1x ssid.
  • the clearpass is been used just for onboarding smart devices + install cert + creation of the 802.1x profile on the devices.

 

 

A. I added the CPPM as 3rd radius + failover in the aruba AAA profile of the 802.1x ssid

 

B.still when user is finished onbaording and try to connect the 802.1x profile that made by the onboard process - and it been checked by the CPPM onboard rep checking also... it's getting failed...user not found (it's just dosent finding a username with this "mdps addon..."

 

C.each user that will try to connect to the 802.1x will fail-over 2 other radius before arrving to the cppm for auth...it's kind of slow process - no?

 

please advise.

 

thanks,

me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted
Frequent Contributor I

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

When a device is onboarded and configured for EAP-PEAP it is issued a unique username and password (e.g. username:12:mdps_generic).  After onboarding, the device will no longer user the AD username/password for authentication, it will use the unique credentials issued during the onboarding process.  You will not be able to authenticate directly to AD with the credentials issued by Onboard.  You need to authenticate against the Onboarded Devices Repoistory in ClearPass.  

Highlighted

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

ok thanks,i just configured it like you wrote - testing it soon.

Capture.PNG
but lets say i have in the same 802.1x profile / server group - 2 other radius servers of the Enterprise - that are for users that connecting to the 802.1x without on-boarding... it will not slow the process?..because of the fail-over function?

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted
Frequent Contributor I

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

Yes, that will slow the authentication process for Onboarded devices as they will have to fail through the two IAS servers before reaching ClearPass.  

 

Are you using EAP termination on the Aruba controller?  RADIUS failthrough is not recommended for 802.1X if EAP sessions are being terminated on the RADIUS servers.  Check out this thread: http://community.arubanetworks.com/t5/Security-WIDS-WIPS-and-Aruba-ECS/Radius-Fail-through-and-802-1x-Machine-Authentication/td-p/12183

 

 

Highlighted
Aruba

Re: clearpass onboarding failed because the CPPM sending wrong user name to the AD/Radius

You could consider setting a "match-rule" for the CPPM server entry within the group.  For example, put CPPM at the top, but have a match-rule defined; something like:   authstring contains mdps_generic.  

 

Other things to consider:

1) use CPPM for all auths

2) use CPPM to proxy auths to IAS

3) use IAS connection rules to proxy to CPPM for (based on username containing mdps_generic)

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX