Security

Reply
Contributor I

Some users cannot connect after updating certificates in Clearpass

We are using Aruba Controller and Clearpass but after updating the certificates in Clearpass some users cannot authenticate and giving them timeout error in Access tracker. In show auth tracebuf It shows that clearpass is asking for credentials but user is not responding that's why the error is always timeout in access tracker.  Clearpass version is 6.6.5.

How can we fix this issue?

Highlighted

Re: Some users cannot connect after updating certificates in Clearpass

What type of users?  Domain machines, iphone, Android...?

What is the authentication, PEAP or TLS?

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor I

Re: Some users cannot connect after updating certificates in Clearpass

Hi Micheal,

Windows 10 machines using PEAP domain joined are experiencing the problem but not all windows 10 machines because its working in android phones and iphone we just need to forget the ssid and connect again  but for some windows laptops it cannot connect even if we already maniually installed the certificate. The behavior in windows 10 is that when you click connect its just loading. and in clearpass its just timeout even if they use machine authentication its still timeout in clearpass. I've read some article in microsoft i dont know if this still applies. https://support.microsoft.com/en-us/kb/3121002

Guru Elite

Re: Some users cannot connect after updating certificates in Clearpass

What certificates did you change?  Do your Windows 10 clients have "Validate Server Certificate" enabled?  Do they also have specific CA's and a specific server specified on the client that they would connect to?

 

Mobile devices are much more accepting and allow the end-user to pretty much accept any mismatch or error, while Windows 10 enforces administrator policies.  The biggest problem with Windows 10 and changing a server certificate is that the client devices need to have that server certificate and the CA that issued the server certificate in their trusted store prior to the certificates being put onto the clearpass server.   You did not give us specific information about what certificates you changed.  You should open a case with Aruba TAC for more specific help since this could effectively cause an outage in your network.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I

Re: Some users cannot connect after updating certificates in Clearpass

Hi Colin,

I've worked with Aruba TAC in changing certificates and it was escalated to Aruba ERT when some users are experiencing issues and they said that end user needs to do windows update. Im trying to find other resolutions thats why i raise it here. BTW both radius cert and https cert was changed. Thanks

Guru Elite

Re: Some users cannot connect after updating certificates in Clearpass

Please post information about your EAP server certificate.

Public CA-signed? Internal CA-signed? Self-signed?

Standard, wildcard, EV?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Some users cannot connect after updating certificates in Clearpass

Hi Tim,
Certificates are self signed from clearpass and its only happening to some users. Aruba ert advised to update windows and were still waiting for the update to finish.
Guru Elite

Re: Some users cannot connect after updating certificates in Clearpass

That's likely the issue. You should not use a self-signed certificate as the EAP server certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Some users cannot connect after updating certificates in Clearpass

End user said that they have a public cert in their active directory. So clearpass should have a public certificate? Aruba tac assist me in changing certificates because its expiring. We also use self signed certificate last year.
Guru Elite

Re: Some users cannot connect after updating certificates in Clearpass

You should use either a public CA-signed or internal CA-signed cert. Never a self-signed.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: