Security

Reply
MVP
Posts: 385
Registered: ‎05-09-2013

ClearPass - Windows Security Alert

Hi all,

 

I am working with a client who is implementing ClearPass Policy Manager for their 802.1x wireless network. The service and all it's components are configured and everything is working, however after typing in their username/password on the machine (win7 laptop), they were not getting connected. I looked in Access Tracker and the alert stated "unknown ca". I enabled the cert in the trusted certificate list on ClearPass, which allowed them to connect to the network, but they were then prompted with a Windows Security Alert message (please see attached). The cert is already trusted on the machine, is there any other way to have it not prompt the users with this error? If they click connect it works, but the plan is to make the cut over seemless.

 

Thanks for the help!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: ClearPass - Windows Security Alert

The cert has to be trusted in the profile on the client in order to not get
that box.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: ClearPass - Windows Security Alert

[ Edited ]

So pretty much this dialogue is asking you if you are OK with sending your credentials to this authentication server. You will always get this the first time you connect to an 802.1X network (wired or wireless) unless the client is preconfigured with something like ClearPass QuickConnect or via group policy for AD-joined devices.

 

In Windows 8, they made the text of the box a little more clear for the end user (less like an error):

 

cappyroam-cert-win8.png

 

 

The idea is that once the user trusts the specific cert chain and server name, they will be prompted with the same dialog again if they connect to a network with the same name, but different AAA infrastructure on the back end. Someone can easily stand up a network with the same SSID and capture the users credentials in the EAP transaction. That is why its so critical to ALWAYS check the server certificate and server name. Only turn it off on the client for troubleshooting.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: