Security

Reply
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Clearpass 802.1x template unknown_CA

[ Edited ]

Hi Guys,

 

I am a little confuse how this works.

 

I have a controller and ClearPass. Created service Aruba802.1x template and its working with local user database for tests.

 

Works ok with IOS and Android.

When we get to windows it fails to connect saying on tracker EAP-PEAP - fatal alert by client unknown_ca

 

 I see that i don't have a CA on windows network. IS it possible to use one in clearpass?

if not waht should i do ? disable certificates on 802.1x?

 

Sorry , but I am not used to Cpass

 

Regards

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: Clearpass 802.1x template unknown_CA

That's likely because it's using the self-signed certificate that comes out
of the box.



Do you have an Aruba partner? There is a bit of planning around certs and
authentication methods that should happen before you deploy.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Clearpass 802.1x template unknown_CA

I am the installer.

 

Not the client. We had already installed some with AD and the clients had certificates.

 

This client does not have the CA on windows server, so for this I am a little confused on planning.

 

Do I need a CA ? Can't we just not use clearpass certificate? 

 

Regards

 

Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: Clearpass 802.1x template unknown_CA

[ Edited ]

Beconnect,

 

What are you trying to configure?

Is it EAP-PEAP or TLS?

Did you install a server certificate on ClearPass?

Did you also install the CA that issued the certificate in Clearpass's trust list?

Does the Windows client have "Validate Server Certificate Enabled"?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: Clearpass 802.1x template unknown_CA

[ Edited ]

Here's your options:

 

If you're supporting BYOD devices without Onboard, you'll need to get a publicly signed certificate.

 

If you're supporting only managed clients (Group Policy or Profile Manager/MDM), then you can use a self-signed certificate.

 

If you're using Onboarding for ALL users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

 

If you're using Onboarding for ALL user and doing dual SSID onboard, you can use a self-signed or private RADIUS server cert, but you need a public web server certificate.

 

If you're using Onboarding for some users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

 

If you're using Onboarding for some users, and doing dual SSID onboard, you'll need a publicly signed RADIUS and web certificate.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Clearpass 802.1x template unknown_CA

[ Edited ]

Hi guys,

 

Not using onboard.. no licenses for that.

 

just Clearpass Policy manager.

 

The only thing that I have done, was do the integration of clearpass with Aruba via Aruba technote v1.3integration ( in attached)

 

What I see is that , upon the creation of the service , i suppose no certificate was installed.

 

Should I install one? IS it possible?

 

BYOD is working ok connected via 802.1x and certificate.. Windows not.

 

I only configure the template of service on Clearpass and config the controller reading the technote.

Regards

 

 

 

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: Clearpass 802.1x template unknown_CA

Yes, you should get a publicly signed SSL certificate.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: Clearpass 802.1x template unknown_CA

If you are just testing, uncheck "Validate Server Certificate" on your Windows machine.  Otherwise you should get a public certificate for your server and upload the CA from that public certificate to the trusted list.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Clearpass 802.1x template unknown_CA

Guys,

 

So i should buy a public certificate?

 

install on windows server and upload to the trust list of Clearpas?  I am not using ldap authentication , why do i need the server certificate?

 

atached the config of the clearpass service

 

Sorry for behing so dummy on this

 

Regards

Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: Clearpass 802.1x template unknown_CA

[ Edited ]

You would do a CSR on ClearPass. Purchase the SSL certificate and upload it to ClearPass as the RADIUS server certificate. You don't need to do anything on a Windows server.

 

Take a look at this slide deck: http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: