Wireless Access

Hello all,

 

I am in the process of switching over one of our campuses from Cisco to Aruba in a small POC. Clearpass is currently in production for authentication and has been for almost year now.

Our Aruba POC is a MM running 8.4 and a physical 7200 series controller.

 

The PCs are running Windows 10 1803

 

I got all the Aruba APs mounted and provisioned but when I turn off the Cisco APs, my Windows clients do not like to reconnect to my SSID, but other devices do. Is this a cert issue? I currently am just using the default cert on the MM and controller. Do I need to install trusted certs in order to get this working seamlessly? Or should the ones on Clearpass be doing their job?

 

Please help!

 

Thanks!

You need a trusted SSL cert on the MM as well as the ClearPass Box. 

 

- A captive portal certificate is needed for the MM for Captive Portal if you are doing captive portal.

 - A captive portal certificate is also needed for ClearPass if you are doing Captive Portal on ClearPass. 

- You would also need a Radius Server Certificate for ClearPass to authenticate your enterprise users.

 

Your clients would have to trust all 3 certificates.  The third certificate would need to be trusted by your enterprise clients that do 802.1x, which is probably why you are having problems with Windows Clients.

 

For in depth info, please see the certificates 101 Technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33288

Thanks for the swift reply!

 

So my current Clearpass deployment already has a RADIUS and HTTPS cert, as well as a cert for the guest portal. From what you are saying, I am just missing the one on the MM and controller correct?

 

Do Windows clients usually not like the default cert on the MM/controller?

The Certificates on the Controller and ClearPass are all self-signed and no clients would trust them.  If this is a proof of concept, it is fine.  In production, you would need certificates that your clients trust and it should be seamless.

 

EDIT.  The Captive Portal and Https certificate are the same thing on ClearPass.

 

I see what you are saying. But we've had Clearpass in production for about a year now and it has all the certs it needs. Shouldn't that be enough as it is handling the auth piece? Without adding a cert to the controller or MM?

 

Unless the supplicant is as looking to the controller for a cert?

Which authentication method is being used in this scenario?

We are using EAP-PEAP, EAP-MSCHAPv2

 

My windows devices are configured via GPO to connect to the SSID however. And to use that auth method.

The EAP server certificate of ClearPass will be used for this workflow.

So I am not missing anything, and am good with the out of the box certs on the MM and controller?

 

Any idea on what the cause of my Windows clients not wanting jump onto the Aruba APs that are broadcasting the same SSID as my Cisco setup?

If you’re not doing captive portal, you don’t need any certificates on the controller.

There are dozens of potential reasons. I would start with a packet capture.

---

@zshore wrote:

So I am not missing anything, and am good with the out of the box certs on the MM and controller?

 

Any idea on what the cause of my Windows clients not wanting jump onto the Aruba APs that are broadcasting the same SSID as my Cisco setup?

---

You might need to enable the qbss load IE parameter in the SSID profile so that clients that have the Cisco CCX infrastructure prefer them.  Please see the post here:  https://community.arubanetworks.com/t5/Wireless-Access/Roaming-between-Cisco-and-Aruba/m-p/252817#M55571

I think this may be an issue with my GPO as well. As when I bring an unmanaged device and connect, it goes smoothly.

Currently doing some digging and will report back.

Have you enabled EAP terminition in the 802.1x auth profile? With EAP termination the EAP requests are terminated at the controller and the certificate of the controller will be used and not the ClearPass certificate.

 

Yes noticed that the RADIUS backend (CPPM) is not changed so normally the migration should me smooth and the same certificates are used. Have all the clearpass servers the same certificate?

From the testing I did last night, an unmanaged device will connect to the SSID just fine after I forget and rejoin the network. (The Aruba APs and Cisco APs are on different network but can talk to each other)

 

Once I cut power to the Cisco APs and then try to join the Aruba APs trhough a wireless profile pushed out via GPO, they wont connect to those networks. 

 

I think my cert problem is out of the way as unmanaged devices can connect just fine, now it is more of a wireless profile issue.

Yes correct. Have you checked if eap termination is enabled in the 802.1x profile? Do you see some requests in clearpass at the moment you try to connect?

You can also enable User debugging at the controller to see what’s happening.

Turns out I was running into an issue with the old Intel wireless drivers. They don't seem to like the new frames from ax. Updating the drivers seems to have fixed the issue.

We will be posting an official field notice tomorrow addressing this specific issue (Intel client drivers and 802.11ax networks).