2 weeks ago
I’m having problems with getting Onboard to work in a two Clearpass cluster with publically signed certs installed for both RADIUS and https.
I’m trying to use Onboard as the root CA.
After provisioning, when the client tries to connect I get this error in Access Tracker:
Error Code: 215
Error Category: Authentication failure
Error Message: TLS session error
Alerts for this Request
RADIUS Certificate Status unknown, Reason (UNKNOWN)
EAP-TLS: fatal alert by server - internal_error
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
Is this a clue?
My Clearpass server is joined to an AD domain ending in “.local” but the public cert, obviously, does not have this ‘local’ address . Therefore the hostname and FQDN of the clearpass server match what’s in AD, not what’s on the public cert.
Both the clearpass.publicaddress.com and clearpass.local have entries in the internal DNS server that the client uses. Clients do not get browser errors when browsing to clearpass.publicaddress.com
Does the FQDN set in Clearpass and the public certificate name need to match? I’m hoping the answer to that is “no.”
Any other ways to track down the reason for the 215 errors?
Solved! Go to Solution.
2 weeks ago
Once again, problem discovered soon after posting to the world... :-)
The template used to create the services added
[EAP-TLS with OCSP Enabled] as an authentication method.
For some reason, that method had a hard coded OCSP URL in it (did I do that, or does it come that way?)
Anyway, making a new Authentication method of EAP TLS with OCSP with no OSCP URL override has things working.