03-11-2014 01:17 PM
HI all -
I feel like I'm trying to do something here that is unusual. We have several Linux clients - and we are trying to get certificates created for them so we can do 2 factor authentication for VPN and Wireless access.
So far I'm not having much luck - we are using Ubuntu 12.04, we had been working with an integrator, but he didn't know just what to do for Linux.
When I create a certificate on the Clearpass server, the first issue I run into is that I need to add 2 mac addresses to the new certificate - I can't seem to do that. Once I create the certificate, download it to the linux system and try to connect to either the wireless or the VIA I get errors with either invalid certificate or invalid EAP method.
Let me just say that I really don't know all that much about Linux and am just trying to get it working the best I can - so any assistance would be great.
Clear pass server is running ver 126.96.36.199630, Aruba 3400, v 188.8.131.52
03-11-2014 03:19 PM
So after doing more searching, I found this post:
and it appears that my certchain is not installed, even though I download the certificate chain - I'm guessing it's not installed in the OS (gosh probably because I'm not sure how to do that) So I'll go do some more research and see how to install the chain in Ubuntu.
03-12-2014 08:15 AM
So we have the controller certificate chain and the user certificate chain imported into the OS but when I connect to the wireless I see the following:
|2014-03-12 09:10:04,366||[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS Alert read:fatal:unknown CA|
|2014-03-12 09:10:04,366||[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A|
|2014-03-12 09:10:04,366||[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca|
|2014-03-12 09:10:04,366||[Th 9 Req 5156 SessId R000001b9-01-532078c2] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.|
Trying VIA now -but looks like it's having other issues - I'll fix those and be back.
03-14-2014 03:22 PM
Wow - this has been really a cluster to say the least.
We finally got the system to connect to the wireless network, using the user certificate from the server (downloaded only the cert, not the entire chain), then in the wireless configuration, using the downloaded user cert (p12), but not adding a CA in (that just doesn't seem right to me but it's working)
The certificates that we export from the Clearpass server are odd - the user cert, has the user certificate first then the root, then the intermediate server listed - very odd and it's not working correctly. VIA connects for about 3 seconds then disconnects - sometimes I see errors in the Clearpass logs - lately not so much.
Looking in the Linux logs, we see invalid cert errors - so it seems like we are just going in circles.
VIA doesn't look at the system store for the CA's - you have to import them in individually - again - not really ideal and still not working correctly.
So after beating our heads on this all day giving it a rest for the weekend.
I still have hope somebody out there has gone over this ground and has some thoughts.
03-14-2014 03:29 PM
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
03-14-2014 03:32 PM
Thank you for the thought - We'll take a look at that next week - our security guy was starting to get to that point I think - the certs are definately odd.
We'll take a look and let you all know.
04-07-2014 05:08 AM
Looks like we are both trying to accomplish the same task. You appear to be ahead of me in some ways and I ahead of you in others. I already have Aruba working with Certificates and StrongSwan. A working site to site configuration that can be modified for remote access. I would be happy to share the particulars in return for any progress that you are making with Via and Wireless with certificates.
We use OpenSSL to generate the certificates and keys. We import a P12 (identity cert and key) and a CA cert into the Controller.
For strongSwan it is just a matter of putting them in the correct locations in the file system. There is no real certificate store like in Windows. We are using Debian for production and I use SuSE for testing.
I read the VIA manual and it refers to certificate store. I wish this was more implicite. I will examine this a little closer today.