Security

Hi Forum,

 

Users have a cert issued by AD and used to authenticates directly to AD with aruba controller. I installed CPPM in between the users and AD for added profiling and BYOD capabilities of ClearPass. My ClearPass has a valid RADIUS cert issued for the root CA, the root CA cert and the intermediate CA cert are in CPPM's trusted list. ClearPass cert, Root CA, intermediate CA certs are all manually installed/trusted on client devices (GPO push). PEAP is working fine but not TLS.

I get an error saying TLS handshake failed and error unknown CA by client.

The only thing that I need to ask about is:

there is a firewall between the clients and CPPM and that firewall has a cert for SSL decryption and some advance L7 features. Does the client need to trust that cert as well?! 

 

Thanks,

The client needs to trust the ClearPass server cert and/or the CA that issued the Server Cert

Thanks Colin. 

 

I understand and like I mentioned above: the client does trust the ClearPass, Root CA, intermediate CA certs.

Did add your internal Root CA to the Clearpass certificate trust list ?

Get Outlook for iOS

I wonder if you read my post. LoL

The answer is Yes, all certs are in the Trusted lint of ClearPass PEAP functions with no problem, only TLS is not working.

If there is an unknown ca error, either the client does not trust the CA of the server cert or the Radius server does not trust the CA that issued the cert of the client.  You need to figure out which situation is the problem.

Which certificate is the signing CA for the client cert?

The intermediate is the signing CA.

I think you misunderstood what I have suggested earlier.

In Clearpass you need to add the AD Root CA if AD is the one issuing your clients certs ?

Get Outlook for iOS

Got it.

In ClearPass I have the root CA certificate added. As well as the intermediate CA. They are added to ClearPass Trusted list of certificates.