Security

Reply
Occasional Contributor I

EAP-TLS: fatal alert by client - unknown_ca

Hi, I installed new clearpass, last release, I restored backup and I added new certificates (I have internal ROOT CA - this is in trusted list). All laptop work fine but all mobile devices give me error "EAP-TLS: fatal alert by client - unknown_ca". I try to use self-signed certificate but not run nothing. Tablet and smartphone have old certificate from old ROOT CA, I must re-run onboard process on all devices or there is a simple way to accept mobiles? Thanks.
Guru Elite

Re: EAP-TLS: fatal alert by client - unknown_ca

What are you using for the EAP server certificate?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-TLS: fatal alert by client - unknown_ca

Yes, AP105 e 205 with RADIUS clearpass
Guru Elite

Re: EAP-TLS: fatal alert by client - unknown_ca

Please tell us about your EAP server certificate. Is it public CA-signed, self-signed or internally signed? Are your devices managed or unmanaged?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-TLS: fatal alert by client - unknown_ca

Internal CA with devices managed
Guru Elite

Re: EAP-TLS: fatal alert by client - unknown_ca

The device doesn’t appear to have the signing CA of the EAP server certificate installed in it’s trust store.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-TLS: fatal alert by client - unknown_ca

I load RADIUS certificate of my internal CA on trusted store of clearpass. Onboarded certificates are generated by OLD_CA while now I have a RADIUS certificate from NEW_CA. Both _CA are on trusted list of clearpass.
Guru Elite

Re: EAP-TLS: fatal alert by client - unknown_ca

The signing CA of the EAP server certificate needs to be installed on the clients and configured in the supplicant.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-TLS: fatal alert by client - unknown_ca

I solved with restore of old certificates, but this expire next year. Can I push new certificate automatically on all mobile devices with onboard system? PS I have a new root CA.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: