Security

I was wondering if anybody has seen this issue before :

"There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating:

USCPPS2401: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating"

I have changed the setting to automatically validate cert to manually .

Thanks

Victor,

That is because of the new setting that windows added for 8.1. You need to make sure the Cert you have supports id-kp-eapOverLAN. If you sign the radius cert in 6.3 buy onboarding then it will be supported. 

Give me a call if you have more questions.

**Update***

I spoke with Victor and thought I would share this.....

This is in the help under certificates of you see an error about your webserver/radius cert. on 6.3/6.2.5

The RADIUS server certificate is used by ClearPass to secure authentication traffic. The HTTPS server certificate is used by ClearPass to secure web traffic. They can be configured in Policy Manager under Administration » Certificates » Server Certificate.

The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority.

To allow Windows 8.1 devices to authenticate successfully this certificate must contain the id-kp-eapOverLAN extended key usage. ClearPass Onboard includes this when creating a "trusted" certificate, this is the recommended method of creating your

RADIUS server certificate(s).

The optimal configuration for Onboard is a HTTPS server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012.

Alternatively if you only wish to use a single Onboard Certificate Authority then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process. Refer to the User Guide for more information.

For testing purposes you can disable the requirement for HTTPS on the Authentication configuration page. However this is an insecure configuration that should not be used in a production environment.

Great answer. The real question though is why a CSR created in Policy Manager does not include this attribute.

CSR from the ClearPass 6.3.2 will include the EKU “id-kp-eapOverLAN” in the certificate signing request.

Regards,

Riyaz

Hi there.

I found this old post as we are having the same issue.

we are currently running ClearPass Policy Manager 6.4.1.67428 on CP-VA-5K platform

We went throught the entire process and created Certificate Signing Request.

We got the certificate back from Digicert, imported it etc ... but still have the error message :

ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

Not sure at the point what we are doing wrong :(

from what i saw in recent posts is that there is a fix for windows 8.1 that make it work even without that option enabled. so you shouldn't worry about it if your windows 8.1 clients get their updates.