When onboarded, the certificates are created in the ClearPass Onboad Environment, and The controller should Authenticate to the ClearPass Onboard Server as a Radius Server to Validatate the Credentials of the Onboarded Devices:
- Configure the ClearPass Onboard Server as a Radius Server in the Controller
- Run the LAN/WLAN Wizard to Stand Up the Onboarded WPA2-AES SSID, choosing the existing ClearPass Onboard Server in the controller as the Radius Server.
On the Onboard Server:
- Configure the Controller as a NAS device in the ClearPass Onboard Server under Radius> Network Authentication Servers
- Have the Onboard Server's Radius Server Request a Server Certificate By going to
Radius> Authentication> EAP and 802.1x> Create Server Certificate> Request a Certificate from Another Certificate authority. Fill out the server information and get the CSR File.
Take that file to the Onboard CA (Onboard> Certificate Management> Upload a Certificate Signing Request). When the TLS Server Certificate is Created, go to the TLS-server Certificate and Click on Export Certificate.
Take that file and Apply it to the Onboard Server's Radius Server by going to Radius> Authentication> EAP and 802.1x> Import Server Certificate. When that is done, go back to Radius> Authentication> EAP and 802.1x> EAP Configuration and make sure EAP-MSCHAPv2, EAP-TLS and PEAP are checked. To get it working, you can disable Certificate Certificate Revocation Checks, for now.
You will need to restart the Onboard Radius Server before doing anything.
See if you can associate an onboarded client to the SSID.
For troubleshooting, go to Radius> Server Control> Debug Radius Server.