Security

Reply
New Contributor

id-kp-eapOverLAN with Active Directory as certificate authority

Hi Everyone,

I'm getting the id-kp-eapOverLAN error in clearpass, however in my environment the AD certificate server has to be the trusted root authonrity instead of clearpass. Does anyone know how to get that EKU into the certificate issuance process in windows?

thanks!

 

Pat

Guru Elite

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Go into your certificate templates, duplicate the user template, go to the Extensions tab, click edit, then click Add and then new.

 

Name: id-kp-eapOverLAN

OID: 1.3.6.1.5.5.7.3.14

 

id-kp-windserver.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Does this extension need to be added to the Clearpass server certificate, if it is being signed by an internal pki?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
New Contributor

Re: id-kp-eapOverLAN with Active Directory as certificate authority

great, thank you!

Michael,

As I understand it that certificate EKU has to be added for windows 8.1 to work properly with Onboard.

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Ahhh, back to this old one now.  Turns out it need to be a web server template.

 

So today we cloned the webserver template and added the extension, but can't seem to get the template to appear in the dropdown to choose when we try to sign the cert.

 

Is there another step to do to get it to appear in that list, or something else in the properties of the template that needs enabling?

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor I

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Did you issue the new certificate template that you created?

Re: id-kp-eapOverLAN with Active Directory as certificate authority

unfortunately it wasn't in the list to issue.  The administrator has full rights.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor I

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Usually a replcation issue.  Try forcing replication between your DCs. 

Re: id-kp-eapOverLAN with Active Directory as certificate authority

There is only on CA issuing server and we're on it.  I found some other suggestions and will report back tomorrow with whatever works.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Frequent Contributor I

Re: id-kp-eapOverLAN with Active Directory as certificate authority

Just to clarify, new certificate templates need to replicated to all domain controllers in the forest: http://technet.microsoft.com/en-us/library/cc770794(v=ws.10).aspx

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: