Security

Hello,

I've been trying to search the boards for resolution but without luck.

I have two SSIDs, one for onboarding and one for actual 802.1x. Android and Windows devices are onboarding just fine and automatically connecting to the 802.1x SSID. My issue is that iPad 2 (using the same service for 802.1x) downloads, installs, etc. the cert correctly but when connecting to the 802.1x SSID it says "can not join network".  When I check the access tracker it states that the device is trying to log in using <username> and not the <username:seq:mdps_generic> which is listed in the OnBoard Devices repository.

The certificate is 2048b and generated in OnBoard. ClearPass is 6.0.2 and Aruba WLC 6.1.

Any ideas how to get the iOS onboard working as smoothly as the other platforms? Any advice greatly appreciated, thanks!

Make sure you have EAP-TLS configured as an authentication type in the service.

<username> means that the IOS device is using TLS.  <username:seq:mdps_generic> means that you are using EAP-PEAP.

Hello, 

Thanks for the prompt reply!

Please see the attached image from access tracker. In the matching service "BYOD 802.1x test" I have methods:

1. [EAP PEAP]
2. [EAP FAST]
3. [EAP TLS]
4. [EAP TTLS]

Should the iPad be using the <username:seq:mdps_generic> from Onboard devices repository? In my BYOD 802.1x test service I have only [Onboard Devices Repository] and nothing more as Authentication Sources.

What does it say under the Alert Tab?

Is there anything in the onboard device repository?

Hi,

Yes, please see the attachment. In OnBoard the device has also a valid certificate:

Issued to: test-ipad

Issued by: ClearPass Onboard Local Certificate Authority (Signing)

I would delete that and re-onboard your ipad.

That is a PEAP credential, not a TLS credential.

Hi,

Thanks for the advices, I already tried to reprovision the device and it did not help. Same issue also with iPhone 3. 

See the attachment of OnBoard network settings. On the authentication tab I have "certificate" selected for iOS and OS X 10.7

I would delete the existing certificates that correspond to the Ipad and reprovision.

Hello,

Did not help. We tried to use new iphone 4 and new user, please see the logs what it generates in attachment.

After successfully installing the root cert and  profile and switching to the 802.1x SSID, it says the same can not join -error. 

Its using method EAP-TLS but not matching any authentication sources. In Onboard devices we see new entry: "<username>:33:mdps_generic"

You should probably open a TAC case.  It is not obvious to me why this is happening.  TLS Certificates in the Onboard Repository should just have a username and not mdps_generic... unless I am wrong...

iOS devices will use EAP-TLS and the CN on the cert will be their username.  Other devices will use EAP-PEAP and their unique credentials will be username:somenumber:mdps_generic.  I have noticed that in ClearPass 6.1.0, iOS devices will show up in the OnBoard Devices identity store with username:somenumber:mdps_generic as their device name - this was not the case in earlier versions of ClearPass.  

In your 802.1X service, you should be using the EAP-TLS with OCSP auth method rather than the EAP-TLS method.  In the EAP-TLS with OCSP auth method, make sure the OCSP responder URL is correct and matches that of the CA you are using for Onboarding (you may have to create a copy and modify it).  Also, try unchecking "Authorization Required" in the EAP-TLS with OCSP auth method.

cjoseph: thanks for your comments, I will create the TAC case if there wont be a solution through this board :)

xdrewpjx: Thanks for your suggestion and information regarding the iOS login process. I modified the service as you suggested, now using "copy of EAP-TLS with OCSP enabled" (without authorization). Method order is:

1. Copy_of_[EAP TLS With OCSP Enabled]
2. [EAP PEAP]
3. [EAP FAST]
4. [EAP TTLS]

I added the OCSP to the provisioning settings, the CA is the OnBoard itself so the default link should be fine. I can not test it today as I need someone with an iOS device to test it. Ill ask someone to test tomorrow.

Could you please clarify, should the [Onboard Devices Repository] be the only authentication source in my 802.1x service?

Thanks!

Yes, if you uncheck "authorization required" in the EAP-TLS auth method, you can use only the OnBoard Devices Repository as an Authentication Source.  Attached is a screenshot of my lab setup. 

Ah thanks, it seems you have lots more going on in there than I do. In my lab I merely have the basic service and nothing fancy. The enforcement policy just sends out the RADIUS accept and role "BYOD" which is "allowall" on the WLC. You can check my service out from the attachment.

xdrewpjx: very big thanks for your advice, it was absolutely the solution. 

I've run nto the same issue of "[Onboard Devices Repository] - localhost: User not found."  My authentication source included the onboard respository and EAP-TLS method had authorization disabled.

I opened a TAC case and their solution was to remove the enforcement policy condition I created that included onboard device respository as the authentication source.  Their explanation was that for EAP-TLS authentication, an authentication source is not needed since the certificate is validated and revocation status is checked.

I verified that revoking my certfiicate resulted in an authentication failure.  For grins, I disabled the my iPad in the onboard respository, but the iPad still authenticated.  This makes sense now given the onboard repositiory isn't being checked during authentication.

Having basically the same issue, now CPPM is asking for password to access network.  This happens before IOS device starts Onboarding.

james.king,

The last post in this thread was from 2013.  Do you want to state your issue in detail so everyone knows what you are talking about?