03-30-2015 11:34 AM
Hey guys, I just migrated our radius from an NPS server to clearpass and I'm having some weird certificate issues. We purchased an SSL certificate from Symantec and I created a .pem and imported the intermediate and root CA. We have a cluster with a vIP so all 3 hostnames are in the certificate via SANs. When I look at the certificate it looks great, and everything works except OSX clients get a prompt to verify the certificate everytime you connect. IOS, Android and Windows machines connect no problem.
If you click continue it lets you connect, but its kind of annoying to have to do everytime. Not sure why I would have this issue with a commercial cert. If you click show Certificiate there is a checkbox that says "always trust" but it still prompts everytime.
03-30-2015 11:36 AM
This is a normal process during an EAP-PEAP authentication. The only way to get around this is to preconfigure clients either manually or with a tool like QuickConnect.
You only have to accept the certificate once per SSID (or if you are using different certificates on each RADIUS server, once per RADIUS server).
There are many posts on this topic.
03-30-2015 12:05 PM
The problem is that OSX clients are getting prompted and have to click continue everytime they connect. No other clients seem to have this problem and I've deployed CPPM for several other customers and don't remember ever having this problem.
03-30-2015 12:08 PM - edited 03-30-2015 12:10 PM
Are the users being prompted for their local account credentials after clicking accept?
What version of OS X?
What is the root CA?
Is it the same root CA that signed your NPS cert?
03-30-2015 12:08 PM
This network is BYOD supported so some devices are managed and some are not. The configuration is pretty close to how NPS was setup, just with a new certificate. With NPS we never got prompted after the first connection.
03-30-2015 12:12 PM - edited 03-30-2015 12:14 PM
I'm not sure about the OS Versions but I am on 10.10.2 Yosemite and I experience the "verify certificate" prompt issue.
The first time I connect edit asked for local credientials to add the cert to the keychain and there is a checkbox for "always trust". That was all expected, however now everytime I connect it asks to verify certificate, if I click continue it lets me connect no problem. I'm worried about this prompt causing some confusion with our customer and I can't figure out why I'm getting this behavior.
The root CA I think it used to be verisign and now its symantec so not signed by the same company but sorta since they purchased them. If that makes sense? I imported the one that verisign suggested when I got the cert.
03-30-2015 12:22 PM
03-30-2015 12:30 PM
After clicking accept and connecting, can you check the Keychain and see if
the RADIUS cert is listed and trusted?