Security

 View Only

  • 1.  Onboard and EAP-TLS

    Posted Jun 26, 2021 05:32 AM
    Hi all,

    Some clarification needed.

    For corporate client which had installed with user and machine certificate via GPO from AD CA.
    It will use that certificate to authenticate with ClearPass server ( CP  have installed RADIUS certifcate issued by AD CA)

    For non coporate client, after completed the Onboard process , the client will switch to coporate SSID and connect using EAP-TLS protocol.
    Client use the certificate it recevied from ClearPass CA, and authenticate with ClearPass CA.

    In Clearpass Services profile for corporate, do I need to add [Onboard Devices Repository] in authentication source.

    I am having issue to  Onboard client, its unable to connect to Coporate WLAN after completed the Onboarding process.
     Check on access tracker , message show its either timeout or rejected.

    I had configured the Onboard using the Airheads video guide and also training lab guide, still it does not work.
    I might missing something here.

    P/S:
    btw what will happen if the corporate client which already have AD certificate, is use to Onboard and installed with CP CA certificate. WHen it connec to corporate SSID which certicate will use to authenticate  ?
     

    Show Logs 
    2021-06-26 16:16:48,747 [Th 51 Req 18187 SessId R00000a33-01-60d6e26b] INFO RadiusServer.Radius - --> verify return:1
    2021-06-26 16:16:48,749 [Th 51 Req 18187 SessId R00000a33-01-60d6e26b] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 185:151:2016D85956FB:AC0AfgDUAKsLRwAAGizbzdrnjyclzhQTNK3YDw==
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Deleting request sessid - R00000a33-01-60d6e26b, state - AC0AfgDUAKsLRwAAGizbzdrnjyclzhQTNK3YDw=
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 179:206:88:2016D85956FB recv 1624695403.406431 - resp 1624695403.421974
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 180:347:1124:2016D85956FB recv 1624695403.445836 - resp 1624695403.450219
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 181:240:1120:2016D85956FB recv 1624695403.469032 - resp 1624695403.470256
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 178:240:1120:2016D85956FB recv 1624695403.488956 - resp 1624695403.490582
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 182:240:914:2016D85956FB recv 1624695403.512747 - resp 1624695403.513875
    2021-06-26 16:17:29,363 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 183:1736:88:2016D85956FB recv 1624695403.571502 - resp 1624695403.573133
    2021-06-26 16:17:29,364 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 184:1736:88:2016D85956FB recv 1624695403.630510 - resp 1624695403.636208
    2021-06-26 16:17:29,364 [main SessId R00000a33-01-60d6e26b] ERROR RadiusServer.Radius - reqst_clean_list: Packet 185:1070:151:2016D85956FB recv 1624695403.656099 - resp 1624695408.749117
    2021-06-26 16:17:29,364 [main SessId R00000a33-01-60d6e26b] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2021-06-26 16:17:29,373 [RequestHandler-1-0x7f6885ff2700 r=psauto-1616033532-83299 h=239 r=R00000a33-01-60d6e26b] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 2016d85956fb

    error in red. 

    Thanks






    ------------------------------
    Choh Koon Tan
    ------------------------------


  • 2.  RE: Onboard and EAP-TLS

    Posted Jun 28, 2021 04:32 AM
    Timeouts where the client does not respond are typically associated with a client that does not trust the ClearPass' RADIUS root certificate. Please double check.

    You can install an Onboard certificate on to a corporate device. The reason this not usually used is that it consumes an Onboard license - whereas a corporate device using a corporate certificate will not "usually" consume an Onboard license. The exception is when ClearPass refers to another certificate authority to generate the Onboard certificate...

    ------------------------------
    Derin Mellor
    ------------------------------

    Original Message


  • 3.  RE: Onboard and EAP-TLS

    Posted Jun 29, 2021 10:09 AM
    I had opened ticket, TAC also mentioned it was due to client not reponding and timeout.
    But still investigating the root cause.

    You are right client can have both Onboard certifciate and the coproate AD certificate.
     
    Thanks.

    ------------------------------
    Choh Koon Tan
    ------------------------------

    Original Message


Related Content