Security

Running into an issue renewing certificates that were issued via SCEP/device profiles with Clearpass Onboard. As the certificates come up as due to expire, OSX dutifully pops up and offers to renew the certificate, however if you click on the "update" button it returns the following error:

 

"The server at http://clearpass/guest/mdps_scep.php/16 does not support certificate renewal"

 

Running tcpdump whilst this happens shows a request to the SCEP URL above with an argument of "operation=getCACaps&message=", and a response of the following:

 

POSTPKIOperation

SHA-1

DES3

 

Is there something I need to change within Onboard to add a capability for supporting SCEP renewal?

Simon,

 

We've had issues with the profile renewal on OS X - it likes to delete the old profile before installing the new one, which dumps the WiFi connection and breaks the whole process.

 

I spoke to  DEV and they said "wasn't aware that there's some way to just get it to do a SCEP request to renew the certificate rather than the whole profile. Maybe it was added in a newer release of OS X? What version are you attempting this on?"

 

Can you share the exact OS X Version please so we can take a look at this internally?

 

 

Sure Thing - I'm running Yosemite (10.10.5) and we also have El Capitan machines that behave the same way.

 

The renewal is following this https://support.apple.com/en-us/HT204446 - using SCEP.

 

Looking at the RFC the server would need to return a capability of "Renewal" for this to happen - https://tools.ietf.org/html/draft-nourse-scep-23#appendix-C.2

 

As you say, attempting to replace the profile in one go to essentially replace vs renew the client cert tends to end up dropping the client off the network (I've tested this via Jamf), so I'm not sure what the recommended way to manage replacing expiring certs would be?

 

 

Simonh,

 

Sorry for my delay... I've had a of conversations with one of our DEV team..... and they have done some testing with the latest El Cap OSX with no major progress. They have asked....... 

 

the SCEP URL reported suggests they are using the Onboard SCEP server in stand alone mode (presumably creating the configuration profile via some other mechanism?)

Hi Danny

We are indeed doing this externally. We use Casper JAMF to push out a MDM profile to the device that contains the following:

Wireless network: XXXXXXX, use certificate YY

SCEP Enrollment: certificate YY obtained from SCEP URL http://clearpass/guest/mdps_scep.php/12

 

I'm not sure if I can get the mobileconfig file as it's all generated internally within JAMF, but that's the gist of it above. We ship CA certs via a separate profile.

Hi Simon,

 

Thanks for the below - a copy of mobileconfig would be very useful.

Hi Simon,

 

Good news. I've managed to get this fixed. It has been checked into the 6.6 code which we plan on releasing late-March/early-April. This will provide a way for OS X to renew it's certificates in workflows where the .mobileconfig is coming from another source (unfortunately the workflow Onboard uses attempts to renew the entire .mobileconfig and hence does not apply). So please be aware of that.

 

 

Thanks Danny - that's great news!

Let me know if there are any opportunities to beta test this at all, since it's a slightly pressing issue for us right now.

 

 

Hi everyone,

 

I think I may be running into a similar issue.  Our school district has a few hundred Mac Minis and iMacs that are used by students.  They are on-boarded using ClearPass with a certificate.  Many of them were on-boarded a year ago, and their enrollment certificates are expiring.  I was under the impression that the enrollment certificate wouldn't affect the other certs (e.g. RADIUS certificate), but some have already expired, and I'm hearing from several sites that their wireless Macs are no longer connecting to the network.

 

Is there any way to specify a period longer than 1 year for validity of the enrollment certificate?  Like, say, forever?  Or maybe 10 or 20 years?  Our site techs have enough to do without having to go touch a hundred Macs and re-enroll them.... not to mention the fact that I'm leaving to go out of the country for a week tomorrow, and won't be able to help them while I'm gone...  Anything I can do for them before the certs all expire?

 

Thanks!

Certificate expiration is set at the CA level.

One quick question. Are you also supporting BYOD devices with username/password on the same SSID?

---

@cappalli wrote:
Certificate expiration is set at the CA level.

One quick question. Are you also supporting BYOD devices with username/password on the same SSID?

---

I'm not the foremost expert in ClearPass, but I believe CPPM is my CA.  At least, for the enrollment certificates.  Or would that be DigiCert, who is the CA for our external domain?

 

To answer your question, yes, we are supporting EAP-PEAP (username/password) on the same SSID.  Most BYOD devices connect to our Guests network, but they can also connect to our Secure network using username/password authentication.