Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎05-15-2014

CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

Tried to onboard ipad running ios 7.1 today

Installed the root CA, which installed but IPAD indicates the root CA is untrusted which kind of defeats the purpose of onboarding.

 

Anyone else seen this?

 

Cheers

P

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

This is normal. The reason you are installing it is to tell the device to trust it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎05-15-2014

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

Right

 

but after it is installed, it still indicates that it is untrusted.

 

Cheers

A

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

At what point in the process are you seeing this?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 17
Registered: ‎05-15-2014

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

[ Edited ]

pre-provisioning - install root ca certificate

complains, but I verify it is the certificate I created through the CA creation

 

the provison profile and client tls certifcate install

 

then reviewing the profiles in ios general section

 

both indicate untrusted

 

eap-tls auth fails

 

Maybe when I created the CA i selected options not supported by ios 7.1

 

2048-bit RSA

sha-256

Occasional Contributor II
Posts: 17
Registered: ‎05-15-2014

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

[ Edited ]

I exported the root ca certs for SHA-256, SHA-224 and SHA-1

 

imported to ipad ios 7.1

 

only SHA-1 was trusted

 

and the algorithms all indicated SHA-1 regardless of the algorithms used to create the CA

 

alg.JPG

 

SHA-1 Root CA

 

trust.JPG

 

SHA-256 and SHA-224 root CA

 

untrust.JPG

 

Funny browsers support SHA-256 but the IOS does not.

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

In your Network settings within Clearpass OnBoard, there is a trust tab.  Is that set to automatic?  On this screen, are there any errors at the top of the screen about iOS and failure for https onboarding?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 17
Registered: ‎05-15-2014

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

[ Edited ]

Do you mean the trust tab on the network settings

 

I have a 3rd party Radius Certificate.

The only error is with regards to windows 8.1

 

and according to the CA, no public CA supports this feature

 

There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating:
cppm1mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.
cppm2mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.
cppm3.mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

 

I have used automatic, and when I saw the untrusted root CA, I tried to manually add the Certs as well.

 

A

New Contributor
Posts: 1
Registered: ‎12-13-2013

Re: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

Seth, Any workaround for people with 3rd party RADIUS certificates. Am I going to have to re-onboard all of my devices now? I have to use a self-signed RADIUS cert as opposed to a 3rd party, correct?
Search Airheads
Showing results for 
Search instead for 
Did you mean: