Wireless Access

Reply
Anonymous
N/A

ClearPass OnBoarding - TLS error

I am trying to setup ClearPass OnBoarding for Windows laptops to push a wireless profile for 802.1x authentication via EAP-TLS. I configured a provisioning profile and the provisioning settings. The Windows laptop can connect to the OnBoarding page and the QuickConnect client is executed. It seems that the provisioning is successful, because I see new certificates in the user and computer certificate store and a wireless connection profile is available.

 

When I try to connect to the 802.1x secure wireless network, I receive the following error message in the CPPM Access Tracker: EAP-TLS: fatal alert by client - access_denied

 

This error is caused by the Validate server certificate option within the wireless profile. I am using ClearPass as CA and the correct intermediate and root certificates are pushed to the client and are checked within the wireless network profile.

 

As soon as I manually disable the check to Validate server certificate, the Windows laptop connects without any problems. I guess the problem is located in the Trust configuration of the wired network configuration in ClearPass Guest. Is someone familiar with this problem?

Occasional Contributor I

Re: ClearPass OnBoarding - TLS error

This error is related to the CA cert not being trusted. You need to ensure that the trust chain is complete. You can check this by opening the cert and checking the entire chain is there
Anonymous
N/A

Re: ClearPass OnBoarding - TLS error

Do you know how I can check this, so I know that I am 100% sure the chain is correct. I checked the certificate under OnBoard + Workspace - Initial Setup - Certificate Authorities (see attachment). They seem to be correct, because they are the default Aruba certificates.

 

The webserver certificate (a wildcard certificate) is also correct, because I can access the ClearPass website without a certificate warning.

Occasional Contributor I

Re: ClearPass OnBoarding - TLS error

Can you temporarily replace the server cert signed by the onboard Ca. I think the EAP cert you are using for EAP termination is not signed by the onboard Ca.
Occasional Contributor II

Re: ClearPass OnBoarding - TLS error

He Admins, I have the same issue. What was the soltuion? I use a public wildcard cert from a public CA Thawte, but it is not trusted by Windows Clients.

Aruba Employee

Re: ClearPass OnBoarding - TLS error

The solution is that you cannot use a wildcard certificate for RADIUS. Microsoft does not allow this.
Thanks,

Zach Jennings
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: