Security

Need some help persuading dot1x to work via an AP ethernet port 

 

Got a client performing Peap/mschapv2 auth. plug into switch port and everything "just works" authenticating to our clearpass service

 

Change to eap-tls same thing everything works

Connect to wifi service all work

Create new clearpass service just for dot1x via an AP 2nd ethernet port ( Different selection criteria)

 

Plug same device into 2nd AP eth port ( I didn't do the AP config for this)

 

All eap based auths fail. For windows client uncheck the validate server certificate box in the dot1x config... and the auths work

We're not terminating eap auths on the controller, they all go to the same clearpass cluster as all other services. Eap based auth same as any other service

 

So is there any magic that needs to be done on the controller  ?

Rgds

A

 

Can you please share your config for the AP port ?

You should able to use the same wired service (clearpass) and aaa profile you for your 802.1X wireless (controller)

Pardon typos sent from Mobile

You mean the attached?

Can you also share the aaa profile and the access tracker your are getting ?

Pardon typos sent from Mobile

The session log doesn't show much more than the auth alert .png file

Everything looks good on the controller side.

You mentioned that your wireless clients are able to authenticate with no
issues using 802.1X , I suggest you take a look at how the wireless profile
is configured in the WIndows and match the same config on your Wired
profile.

Looks like profile is not configured properly

Sorry, have to disagree. We use an onboarding appliance that configures both wired and wifi eap based authentication. Same configurations work on ProVision,Aruba Switches,Comware and normal wifi connectivity. All these network devices use clearpass for authentication and "just work"

 

The only thnig that doesn't is dot1x via wired port on this ap (93H)

A couple of things:
- Can you confirm the device is configured properly ? Root CA / RADIUS Cert

- And also sure the certificate still valid in the onboard db

- make sure you are using the same auth-type (EAP-TLS) you created for the other already working wired service

- have you tried using another device ?



Pardon typos sent from Mobile

Can you confirm the device is configured properly ? Root CA / RADIUS Cert

Whih device ? client? 

- And also sure the certificate still valid in the onboard db

Not using aruba onboarding stuff, using Cloudpath

- make sure you are using the same auth-type (EAP-TLS) you created for the other already working wired service

 

If u mean clearpass service, copes with peap,ttls and tls

- have you tried using another device ?

Yup windows and macos

 

Sorted !!

 

and it wasn't anything we did ... ish

 

I' have a service on our 6.7.2 cppm cluster that uses a service specificc CA chain ( local PKI instructure). The service we created was at the bottom of our list of services.

Lookint at the release notes for 6.7.3 one of the fixes  is 

 

#44257 A service certificate that was configured on one service was also applied to all the services below that service in the order of processing, even if they were configured with a different service certificate. This had caused requests to the lower services to be denied with the error “Unknown CA.”

 

Guess what was happening .... as soon as we moved the cert abouve the one using our own PKI  things sprang into life