Security

Reply
Contributor I
Posts: 31
Registered: ‎07-24-2014

Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

Hey guys, I just migrated our radius from an NPS server to clearpass and I'm having some weird certificate issues. We purchased an SSL certificate from Symantec and I created a .pem and imported the intermediate and root CA. We have a cluster with a vIP so all 3 hostnames are in the certificate via SANs. When I look at the certificate it looks great, and everything works except OSX clients get a prompt to verify the certificate everytime you connect. IOS, Android and Windows machines connect no problem.

 

If you click continue it lets you connect, but its kind of annoying to have to do everytime. Not sure why I would have this issue with a commercial cert.  If you click show Certificiate there is a checkbox that says "always trust" but it still prompts everytime. 

 

Any Ideas? 

 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

This is a normal process during an EAP-PEAP authentication. The only way to get around this is to preconfigure clients either manually or with a tool like QuickConnect.

 

You only have to accept the certificate once per SSID (or if you are using different certificates on each RADIUS server, once per RADIUS server).

 

There are many posts on this topic.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

Robert,

 

Are you using Onboard, and are you doing it for corporate-owned devices or guest devices or both? 

 

Swack

Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

The problem is that OSX clients are getting prompted and have to click continue everytime they connect. No other clients seem to have this problem and I've deployed CPPM for several other customers and don't remember ever having this problem. 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

[ Edited ]

Are the users being prompted for their local account credentials after clicking accept?

 

What version of OS X?

 

What is the root CA?

 

Is it the same root CA that signed your NPS cert?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

This network is BYOD supported so some devices are managed and some are not. The configuration is pretty close to how NPS was setup, just with a new certificate. With NPS we never got prompted after the first connection. 

Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

[ Edited ]

I'm not sure about the OS Versions but I am on 10.10.2 Yosemite and I experience the "verify certificate" prompt issue. 

 

The first time I connect edit asked for local credientials to add the cert to the keychain and there is a checkbox for "always trust". That was all expected, however now everytime I connect it asks to verify certificate, if I click continue it lets me connect no problem. I'm worried about this prompt causing some confusion with our customer and I can't figure out why I'm getting this behavior. 


The root CA I think it used to be verisign and now its symantec so not signed by the same company but sorta since they purchased them. If that makes sense? I imported the one that verisign suggested when I got the cert. 



Frequent Contributor I
Posts: 69
Registered: ‎05-06-2013

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

That is strange as I would expect the root cert would already be trusted in the System Keychain. I'll ask my Mac support guy the next time I see him and see if I can find something out.
Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

That root CA is included with OS X.



After clicking accept and connecting, can you check the Keychain and see if
the RADIUS cert is listed and trusted?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 31
Registered: ‎07-24-2014

Re: Commercial Cert on CPPM, OSX Clients asking to Verify Certificate Everytime

Yes the cert is showing up in my keychain and is set to always trust. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: