11-26-2013 10:34 AM
I am working with a client who is implementing ClearPass Policy Manager for their 802.1x wireless network. The service and all it's components are configured and everything is working, however after typing in their username/password on the machine (win7 laptop), they were not getting connected. I looked in Access Tracker and the alert stated "unknown ca". I enabled the cert in the trusted certificate list on ClearPass, which allowed them to connect to the network, but they were then prompted with a Windows Security Alert message (please see attached). The cert is already trusted on the machine, is there any other way to have it not prompt the users with this error? If they click connect it works, but the plan is to make the cut over seemless.
Thanks for the help!
Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
11-26-2013 12:32 PM - edited 11-26-2013 12:34 PM
So pretty much this dialogue is asking you if you are OK with sending your credentials to this authentication server. You will always get this the first time you connect to an 802.1X network (wired or wireless) unless the client is preconfigured with something like ClearPass QuickConnect or via group policy for AD-joined devices.
In Windows 8, they made the text of the box a little more clear for the end user (less like an error):
The idea is that once the user trusts the specific cert chain and server name, they will be prompted with the same dialog again if they connect to a network with the same name, but different AAA infrastructure on the back end. Someone can easily stand up a network with the same SSID and capture the users credentials in the EAP transaction. That is why its so critical to ALWAYS check the server certificate and server name. Only turn it off on the client for troubleshooting.