Security

Reply
New Contributor
Posts: 2
Registered: ‎02-01-2016

clearpass selects expired certificate to authenticate

I am having devices that all of a sudden will not use NAC and it is under one of two conditions.

1. If the device has more than one certificate and one of them is not a client auth or doesn't have email as the subject name or

2. The device has two client auth certificates and one of them is expired.

 

In both cases there was not an issue for several weeks and then all of a sudden the device stops working.

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: clearpass selects expired certificate to authenticate

What operating system? The client selects the certificate, ClearPass just looks at it.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: clearpass selects expired certificate to authenticate

Does it reach Clearpass ? If yes, what is the output of this MAC in the access tracker. 

 

If it doesn't you might want to look at 802.1X debugging on the controller which you can find in this document under the 802.1X section : http://community.arubanetworks.com/aruba/attachments/aruba/84/106/1/Troubleshooting+Cheat+Sheet-.pdf

 

 

 

ACMP, ACCP, BCNE
New Contributor
Posts: 2
Registered: ‎02-01-2016

Re: clearpass selects expired certificate to authenticate

The clients are Windows 7

Yes I understand that the client selects but if the computer has an old Computer Template Certificate all of a sudden clearpass will try and authenticate using that certificate instead of rejecting it and asking for another.  Other uses of certificates don't behave this way they understand a particular certificate is expired and asks for another one.

Frequent Contributor II
Posts: 116
Registered: ‎07-13-2015

Re: clearpass selects expired certificate to authenticate

This isn't a Clearpass specific issue, there is no way for a RADIUS server to achieve this. The RADIUS server will send an access-reject packet since the cert is expired. You will need to work with this issue straight from the CA and AD cert enrollments.
ACMP, ACCP, BCNE
Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: clearpass selects expired certificate to authenticate

Can you post a screenshot of the authorization and computed sections of the access tracker request?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: