Security

Reply
MVP
Posts: 4,020
Registered: ‎07-20-2011

Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

 

I was wondering if anybody has seen this issue before :

 

"There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating:

USCPPS2401: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating"

 


I have changed the setting to automatically validate cert to manually .

 

Thanks

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

Victor,

 

That is because of the new setting that windows added for 8.1. You need to make sure the Cert you have supports id-kp-eapOverLAN. If you sign the radius cert in 6.3 buy onboarding then it will be supported. 

 

Give me a call if you have more questions.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

**Update***

 

I spoke with Victor and thought I would share this.....

 

This is in the help under certificates of you see an error about your webserver/radius cert. on 6.3/6.2.5

 

The RADIUS server certificate is used by ClearPass to secure authentication traffic. The HTTPS server certificate is used by ClearPass to secure web traffic. They can be configured in Policy Manager under Administration » Certificates » Server Certificate.

 

The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority.

 

To allow Windows 8.1 devices to authenticate successfully this certificate must contain the id-kp-eapOverLAN extended key usage. ClearPass Onboard includes this when creating a "trusted" certificate, this is the recommended method of creating your

RADIUS server certificate(s).

 

The optimal configuration for Onboard is a HTTPS server certificate issued by a trusted commercial certificate authority. A list of certificate authorities trusted by iOS devices can be found at http://support.apple.com/kb/HT5012.

 

Alternatively if you only wish to use a single Onboard Certificate Authority then you can use that Certificate Authority to sign the server certificate. Users will then have to install the certificate as part of the provisioning process. Refer to the User Guide for more information.

 

For testing purposes you can disable the requirement for HTTPS on the Authentication configuration page. However this is an insecure configuration that should not be used in a production environment.

 

screenshot_01 Apr. 01 00.30.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I
Posts: 176
Registered: ‎12-17-2008

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

Great answer. The real question though is why a CSR created in Policy Manager does not include this attribute.

 


--
ACMA ACMP
Aruba Employee
Posts: 11
Registered: ‎12-31-2010

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

CSR from the ClearPass 6.3.2 will include the EKU “id-kp-eapOverLAN” in the certificate signing request.

 

Regards,

Riyaz

Contributor II
Posts: 40
Registered: ‎05-27-2014

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

Hi there.

I found this old post as we are having the same issue.

we are currently running ClearPass Policy Manager 6.4.1.67428 on CP-VA-5K platform

We went throught the entire process and created Certificate Signing Request.

We got the certificate back from Digicert, imported it etc ... but still have the error message :

ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

 

Not sure at the point what we are doing wrong :(

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: Onboard Error Message for Windows 8.1 - ClearPass 6.3.1

from what i saw in recent posts is that there is a fix for windows 8.1 that make it work even without that option enabled. so you shouldn't worry about it if your windows 8.1 clients get their updates.

Search Airheads
Showing results for 
Search instead for 
Did you mean: