Wireless Access

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-19-2014

Clearpass Policy Manager - Certificate Trust List

Hi,

 

Question regarding the CPPM certificate installation.

 

We are using CPPM for 802.1x authentication. As the self-signed certificate is about to expire soon we are planning to replace it with a public certificate signed by a CA (globalsign). When we have tested this over the weekend, we found the client machines were prompted to click "connect" or "accept" on windows and iPhone respectively. There are couple of questions that I have,

 

1. Do we get this one time popup even for the signed public certificate? Is there a way to avoid this?

 

2. One thing that I observed was, though the public certificate was listed in the trust list (Administration -> Certificates -> Trust List) on CPPM but it was not enabled. Do we have to enable it? Does this have anything to do with the prompt we got as explained above? Also do we have to add any intermediate certificate to the trust list and enable them as well?

 

Please let me know if you need more information.

 

Any suggestions would be greatly appreciated.

 

Thanks,

Kumar

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Policy Manager - Certificate Trust List

[ Edited ]

The certificate prompt on clients is a normal part of the 802.1X/EAP process. The dialog box is asking the user if they trust the authentication server to take their credentials for that particular network.  The only way to bypass the prompt is to pre-configure clients using a management tool like Group Policy/Profile Manager or BYOD tools like QuickConnect or Onboard.

 

While that error doesn't have anything to do with the CP trust list, you should enable the entire trust chain anyway.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-19-2014

Re: Clearpass Policy Manager - Certificate Trust List

Hi Tim,

 

Thanks for the quick response. You have answered my question.

 

One more thing that concerned me was, when it prompts on iPhones it reads as :Not Verified" in red. any idea why this would happen.

 

Also, what would happen if I donot enable it in the trust list? I was still able to connect.

 

Thanks,
Kumar

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Policy Manager - Certificate Trust List

[ Edited ]

Not Verified just means that the server's certificate has not been pre-trusted for connection to the network. This is normal for the first time a user connects.

 

You likely have enabled the Root or intermediate CA that signed the public certificate which is fine.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-19-2014

Re: Clearpass Policy Manager - Certificate Trust List

I have just checked CPPM, most of the certs on Trust List are disabled except a very few which are enabled. Out of which Global sign is disabled.

 

 C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CAvalidDisabled

 

Thanks,

Kumar

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Policy Manager - Certificate Trust List

Did your server certificate have the trust list embedded?

You can check this by looking at the certificate under the Certificates menu. If you see all 3, then the full trust was included in the certificate file.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-19-2014

Re: Clearpass Policy Manager - Certificate Trust List

Yes, If I am getting this right, when I go to the Server Certificates under certificates menu on CPPM, I did see server cert, intermediate cert and the root ca cert. Is this what you are refering to?

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Policy Manager - Certificate Trust List

Yes, you should be all set then.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-19-2014

Re: Clearpass Policy Manager - Certificate Trust List

Thanks a lot for answering all my questions. I really appreciate it.

 

Thanks,
Kumar

Search Airheads
Showing results for 
Search instead for 
Did you mean: