02-06-2017 02:19 PM
I have what seems to be a peculiar issue. We run an Aruba ClearPass VM with two Aruba wireless controllers running in active/passive mode. We also have a good number of 720 AP's that connect to these controllers.
We have several SSID's, but the ones affected by this issue authenticate using 802.11x.
Last week I was made aware that the RADIUS and HTTP server certificates were expiring. These certificates were real ones issued by third-party CA Symantec. However, instead of renewing them, I was asked to replace the certificates with a wildcard certificate we've been using recently with other gear that needed it. The reason for moving to a wildcard certificate is an obvious one; cheaper to reuse instead of getting individuals.
Ever since switching to wildcard certificate, we have Windows wireless clients that can no longer connect. The error logged in ClearPass is the subject of this topic:
EAP-PEAP: fatal alert by client - access_denied TLS session reuse error
I tried manually installing the wildcard certificate on a test Windows laptop that is affected by this, but it doesn't work. I also went into Group Policy and enabled acceptance of third-party and trusted peer CA's to no avail.
Interestingly, I use an Android phone and it connects to the affected SSID without issue. So it seems Windows clients are probably by default not seeking the updated certificate or insist in using the previous, now-outdated certificate as it's the same FQDN hostname, but using a brand new, wildcard certificate instead.
Thanks in advance
Solved! Go to Solution.
02-06-2017 02:22 PM
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
02-06-2017 02:22 PM
02-06-2017 02:31 PM
Sure it does. I implemented the same wildcard certificate on a Cisco ASA VPN concentrator for AnyConnect remote access clients. It works fine.
Or are you saying Microsoft PEAP doesn't support wildcard?
Victor Fabian wrote:
Windows doesn't support wildcard cert for 802.1x authentication
02-06-2017 02:33 PM
Alright. How can I compel Windows to fetch the updated cert from the ClearPass?
You cannot use a wildcard certificate as the EAP server certificate.
02-06-2017 02:34 PM
02-06-2017 02:39 PM - edited 02-06-2017 02:39 PM
So.... My only recourse is self-signed or purchase another real one, right?
And if I do self-signed, that will warn everyone that they're potentially accessing an unsafe resource when they connect, no? Or is there a way to supress that?
I realize I'm probably asking stupid questions to circumvent intended design, but I do appreciate your insight.
02-06-2017 02:42 PM
Public will prompt the user to verify the server certificate but they don't have to have it installed.
For these reasons, PEAPv0/EAP-MSCHAPV2 is wildly insecure in unmanaged environments and should be avoided.
02-06-2017 02:47 PM
How do you suppose that our Android and iPhone user base can connect without issue?
My Android connects as it did before I installed the wildcard cert. I was told that the iPhone prompts to accept the certificate, but it works.
02-06-2017 02:49 PM