Security

HI All,

I'm have a CPPM 6.2 installation currently working nicely just doing 802.1x with PEAP-MSCHAPv2 authentication against AD.

The server has a public certificate installed for terminating the Radius (Entrust).

I'd like to try and get a small group of devices onboarded and i think i've got the setup fairly close to right, i am using a self signed internal CA and have setup the provisioning profiles to connect using TLS.

The issue i'm having is when i try and onboard a Windows device, it successfully onboards however when it switches over to the TLS authentication afterwards, it fails to logon with the following error in the access tracker. Anybody got any ideas where to start here?

My assumption is that the TLS authentication should be checked against the onboard repository and not the AD server?

further to that, if it turn of certificate validation on the client it appears to work ok.

I am using the auto trust settings in the wireless profile on the Onboard configuration.

 

RADIUS

[Onboard Devices Repository] - localhost: User not found. EAP-TLS:  fatal alert by client -  access_denied

---

The section that says fatal alert by client means the client dosent trust the server. Make sure you combine the Root/Intermediate/server cert.

If you need to add them in the trusted server list in the network settings.

Here is an example of my cert.

And If you want to push out the root separate then you can add it to the network settings. In my example I have GoDaddy UCC cert that is signed by starfield and Im pushing the root cert to the client. 

thanks Troy, you've saved me again!

I added the server name and root CA's manually into the trust settings and it works a treat!

Any idea why the auto trust doesn't do this for you?

Scott

It comes down to how you import the cert. If you Import just the cert, or if the chain isn't put into the cert correctly then you will run into that issue.

When you use the auto select it pulls the cert from the CPPM cert.