Security

Hello,

We were running with ClearPass Policy Manager 6.0.2 for quite a while.

We recently upgraded to version 6.1.2.

While testing this new CPPM I noticed that the option to install the 'Root Certificate' during the Apple Onboard process was missing. This option usually appeared as Step 1.

I went in and looked at the code and found this...

{if $client_require_root}
<strong>{counter}.</strong>&nbsp;&nbsp;&nbsp;&nbsp;{nwa_iconlink icon="images/icon-certificate22.png" text="Install root certificate (click here)"}{nwa_mdps_config name=root_cert}{/nwa_iconlink}{nwa_mdps_config name=root_cert_warning}<br>
{/if}

During my test I never received the option to install the 'Root Certificate' and subsequently I received the 'Unverified Profile' warning from the Apple device.

I went in and simply deleted the 'if' statement part which brought back the option to install the 'Root Certificate' which solved the 'Unverified Profile' warning.

I was curious if there is any negative impact to me removing the 'if' statement to ensure that the option to install the 'Root Certificate' is there no matter what?

The Onboard process works either way, but I think based on our used base it would be better if there wasn't this 'Unverified Profile' message.

I should mention that we are using a Local CA on the CPPM Onboard, it is not an intermediate and not signed by any Commercial CA's.

We do have a Commercial CA for the CPPM (Apache) side though.

Thank you,

Cheers

Since onboarding works fine; there shouldnt be any negative impact as such. This issue seems to be device specfic.

FInd the below link for more info for similar issue.

http://community.arubanetworks.com/t5/Authentication-and-Access/Re-802-1x-and-signed-certificates/td-p/17345

Thanks! 

Hello,

@Sriram Subramanian 

Thank you for the response. I will read through the post in more detail. It seems to be a similar issue.

In my case the system it is only the Apple devices complaining about the 'Unverified Profile'. I can make the error go away by remove the 'if' statement and installing the Root Cert of the Onboard. But I will take a second pass at the post to make sure I didn't miss anything. Thank you!

@tarnold

I can indeed upgrade.

Do you know why this 'if' statement might have been added? Could it be for devices that had previously gone through the Onboard process and therefore would already have the Root Cert for the Onboard? I am also curious now as to why it has decided the Apple devices do not require this cert.

Thank you again for the responses. I will try to get our CPPM upgrade. I am currently struggling with communication issues with the upgrade servers that I am hoping to get sorted out shortly.

The "client_require_root" variable is set when Onboard detects that the client will require the installation of the root CA certificate in order to verify the profile.

When the Profile Signing certificate is trusted* by Apple, the client does NOT need to trust the Onboard CA certificate prior to Onboarding, as the profile will show as "Verified".  In this case, "client_require_root" should be FALSE.

When the Profile Signing certificate is not trusted by Apple, the client will need to trust the Onboard CA certificate prior to Onboarding, because otherwise the profile will show as "Not Verified".  In this case, "client_require_root" should be TRUE.  This is the default for the out-of-the-box configuration, as the Profile Signing certificate will be issued by the default Onboard Local Certificate Authority, which is of course not trusted by iOS by default.

* this means "is issued by a certificate authority that is preconfigured on iOS" - see http://support.apple.com/kb/ht5012 for the list of trusted root certificate authorities.

Summary:

If you have a Profile Signing certificate that is issued by a commercial CA, then you should not see the "Install root certificate" link, because "client_require_root" will be FALSE.

If you are not seeing this link, and you are getting "Not Verified" when installing the profile, this could be a bug; please open a TAC case and be sure to provide the exact certificate that you are using to sign the profiles.

@amigodave

Thank you for the clarification on this check.

It makes sense now why it is there and it is a great addition to the Onboard process!

For the Onboard CA we are using a self-signed certificate (so it is not a commercial CA).

With the "client_require_root" in the code, the option to install the root certificate is not available.

So it would appear that possible the code is not functioning as intended.

I can open a TAC case. Perhaps there is something that I am not doing properly.

@tarnold

I just upgraded our server to 6.1.3. I will test the behavior and see how it works now.

Thank you both for your assistance.

----------------------------------------------------------------------

Just a quick update.

I have now been able to test on an Apple device after upgrading our CPPM to version 6.1.3.

It would appear that the "client_require_root" is now functioning correctly.

On the Apple device the option to install the root cert is appearing with the appropriate code being in place.

Thank you for the help