Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

I have 2 computers I am testing with. One joined to the Active Directory Domain and the other is not.

I have Clearpass set up as my authentication server and I am using AD as my CA. 

1. I started my test with the non-domain laptop which had the  validate server certificate checked and Trusted Certificate Authority unchecked. When I attempt to connect, I get a pop up from windows that tells me I need to "Terminate or Connect" . I click connect and everything works as intended. I verified in the Protected EAP settings that the correct Trusted CA is selected. 

2.I started with the same settings on the Domain laptop ,Validate server certifcate checked and Trusted Certificate Authority unchecked. To my surprise, the client is connecting to the network. No pop-up for the cert. I have also tested selecting random Trusted CA and they all work. 

Has anybody experienced this?

Could it have something to do with the laptops being joined to AD and having the same root CA?

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

Correct. When a computer joins an AD domain, IIRC the Domain cert is installed on that laptop as a trusted root cert. So this would explain your result.

Thanks,

Zach Jennings
Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

1.  The CA that issued the certificate to the radius server probably is not the same one that is in your non-domain client's trust list (compare the serial numbers).

 

2.  If your CA is domain-integrated, domain clients will automatically trust whatever is issued by it.  Since you only Clicked on Validate, it will trust ANY CA in its trust list.  If you specified servers, it would only trust those specific servers/CA's.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

This is "normal". It's a client side check only. Not checking a CA means all CAs will be trusted.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

How does that explain successful authentication when I select a random CA?

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

I have taken my test a step further and removed the CA from the trusted list on the client. I am still able to connect .  Is there something I'm missing on the Clearpass configuration that would allow this client to connect?

 

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

That's a client side only check. The only time ClearPass would validate a cert would be if EAP-TLS was in use.

Windows should not be connecting if a completely different chain is selected. Can you post a screenshot of the supplicant configuration?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

Supplicant0.PNGSupplicant.PNG

Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM

Mwade,

 

Did you disconnect the user from the controller's user table before rejoining?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎05-19-2011

Re: Validate Server Certificate checked and Trusted Certificate Authority unchecked. CPPM


cjoseph wrote:

Mwade,

 

Did you disconnect the user from the controller's user table before rejoining?

 

 


Disconnecting the user does nothing. I'm testing both controller and IAP and the results are the same on both.

Search Airheads
Showing results for 
Search instead for 
Did you mean: