Security

 View Only
last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Does clearpass onboard can support two different site ?

This thread has been viewed 42 times

  • 1.  Does clearpass onboard can support two different site ?

    Posted Nov 18, 2022 12:53 PM
    Hi 
    i have two clearpass in different site. 
    with same ad be authenticate and same ssid.
    onboard each other.
    after onboard , each site can normally use wifi.
    but if change to other site, will fail.

    is anyway to make it work? (onboard in one site, and other site can use wifi too)
    or need cluster it ?


  • 2.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 18, 2022 05:16 PM
    Are these Clearpass nodes part f the same cluster?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: Does clearpass onboard can support two different site ?

    Posted Nov 18, 2022 10:10 PM
    no, they aren't 
    just standalone in two site, but use same AD authenticate.
    Original Message


  • 4.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 19, 2022 06:34 PM
    what is the exact error in the alert tab of access tracker for the failed onboarded device?
    is it to do with the certificates? if so then you need to add the root CA cert that signed the onboarded device' cert to the Certificate Trusted List on the  clearpass node that you are getting the error.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 5.  RE: Does clearpass onboard can support two different site ?

    Posted Nov 19, 2022 06:51 PM
    here is the alert

    EAP-TLS: fatal alert by server - unknown_ca
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

    i have let the onboard root cert put in each clearpass trust list but it still show up this alert
    Original Message


  • 6.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 20, 2022 07:11 AM
    this error is due to the client validating the server cert. I am assuming your onboard root CA is self signed.
    so you need to have a root CA that signs both the onboard device certs.
    or alternatively you can have both the clearpass nodes part of the same cluster (I don't know if this is feasible or not)

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 7.  RE: Does clearpass onboard can support two different site ?

    Posted Nov 20, 2022 07:39 AM
    do you mean the device need have two root ca install it?
    yes, the onboard ca is self signed by both side.

    you have scenario like this too?
    but your scenario work in fine ?
    Original Message


  • 8.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 20, 2022 05:03 PM
    zlv,

    When you configure onboard with a self signed root certificate ClearPass itself will trust this certificate. But it will not automatically trust the root certificate from the other ClearPass server if they are not clustered. 

    Is there a reason you have chosen not to cluster these two instances of ClearPass? It seems that this would solve the issue. If both ClearPass instances are authenticating users against the same AD environment then a cluster would make sense. Do you agree?

    There are a couple of ways that you could go to get this working:
    1. Cluster the two ClearPass nodes
    2. Send the root certificate from each ClearPass Onboard certificate authority to the other ClearPass node to be trusted for EAP
    3. Use a single root certificate for both ClearPass nodes 

    Original Message


  • 9.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 20, 2022 05:17 PM
    the main point here is that the onboarded clients automatically will trust the root CA that it was onboarded from. This happens during the onboard process.

    Now you have another root CA from the other clearpass that the client will not trust, that is causing the EAP-TLS error
    you can install the other root CA and add it to the trusted CA list of the client but that would be a lot of work for all the already onboarded client.
    In addition some of the clients like onboarded windows client, will also have a client setting in "validate server identity" to only use a specific server cert for that specific SSID. So you need to update that too.

    perhaps it'll be easier to setup the onboard CA as an Intermediate CA instead of Root CA.
    check this video that briefly talks about the options.
    https://www.youtube.com/watch?v=5Wl0ssdV_JU

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 10.  RE: Does clearpass onboard can support two different site ?

    Posted Nov 20, 2022 09:36 PM
    Thank you for your all reply 
    actually i test what you say before , but still fail (not sure is my configured wrong or what make it fail)
    i have let other clearpass import root ca and client ca to trust list
    but it show in "Trusted" not "TLS client"
    so i was confuse, it can work or not.
    in my knowledge, clearpass need verify the client cert too.

    i know the cluster is the best way.

    why i need this, because this sceniaro is working now
    i want find, make little change and make it work.
    Original Message


  • 11.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 21, 2022 04:23 AM
    Despite what was written before, the message fatal alert by server - unknown_ca, means that the ClearPass server did not trust the client certificate.

    You should export the Onboard Root CA (and intermediates would not hurt) from the other server (than the one that shows this message), and add/import that to the Trust list of this server with the purpose EAP (and have it enabled, but that happens by default).

    I would suggest to work with Aruba Support (TAC), as it may be confusing unless you fully understand how certificates and certificate validation works.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 12.  RE: Does clearpass onboard can support two different site ?

    Posted Nov 22, 2022 03:57 AM
    update status
    we have successful let this sceniaro work.
    because we have setting ocsp , so when we let the ocsp turn off 
    just using EAP-TLS method make Authenticate
    it works now

    but next problem is... device cert will not verify by clearpass
    when the cert is expiry or delete , device still can connect.
    Original Message


  • 13.  RE: Does clearpass onboard can support two different site ?

    EMPLOYEE
    Posted Nov 22, 2022 04:52 AM
    If your OCSP is overridden/defined in the authentication source, that may be the issue here. And if the OCSP is not accessible between sites, that also may be the reason.

    To resolve this (if needed), you would need to check deeper into the design and configuration which is beyond the scope of a forum like this unless you have very specific questions. You may work with your Aruba partner, or Aruba support to discuss the options.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message