Security

Reply
Regular Contributor II

TLS with AD and CPPM in between

Hi Forum,

 

Users have a cert issued by AD and used to authenticates directly to AD with aruba controller. I installed CPPM in between the users and AD for added profiling and BYOD capabilities of ClearPass. My ClearPass has a valid RADIUS cert issued for the root CA, the root CA cert and the intermediate CA cert are in CPPM's trusted list. ClearPass cert, Root CA, intermediate CA certs are all manually installed/trusted on client devices (GPO push). PEAP is working fine but not TLS.

I get an error saying TLS handshake failed and error unknown CA by client.

The only thing that I need to ask about is:

there is a firewall between the clients and CPPM and that firewall has a cert for SSL decryption and some advance L7 features. Does the client need to trust that cert as well?! 

 

Thanks,

Guru Elite

Re: TLS with AD and CPPM in between

The client needs to trust the ClearPass server cert and/or the CA that issued the Server Cert



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: TLS with AD and CPPM in between

Thanks Colin. 

 

I understand and like I mentioned above: the client does trust the ClearPass, Root CA, intermediate CA certs.

Re: TLS with AD and CPPM in between

Did add your internal Root CA to the Clearpass certificate trust list ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II

Re: TLS with AD and CPPM in between

I wonder if you read my post. LoL

The answer is Yes, all certs are in the Trusted lint of ClearPass PEAP functions with no problem, only TLS is not working.

Guru Elite

Re: TLS with AD and CPPM in between

If there is an unknown ca error, either the client does not trust the CA of the server cert or the Radius server does not trust the CA that issued the cert of the client.  You need to figure out which situation is the problem.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: TLS with AD and CPPM in between

Which certificate is the signing CA for the client cert?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: TLS with AD and CPPM in between

I think you misunderstood what I have suggested earlier.

In Clearpass you need to add the AD Root CA if AD is the one issuing your clients certs ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II

Re: TLS with AD and CPPM in between

The intermediate is the signing CA.

Regular Contributor II

Re: TLS with AD and CPPM in between

Got it.

In ClearPass I have the root CA certificate added. As well as the intermediate CA. They are added to ClearPass Trusted list of certificates.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: