Hi
I'm running WPA2 Enterprise, 2 x controllers covering 2 different regions and 1 x Clearpass. AD Group Policy rolling out WPA2 Enterprise settings. Pre-update of certs we had no issues.
I updated the Clearpass and controller certs using different provider than GoDaddy as certs expired. New provider ROOT CA Cert is now - AddTrust External CA Root - using Sha1 signature, the clearpass and controller certs are sha256 & greater. Most of the thumbprints across all certs are sha1 which I beleive is Ok. Signature Sha is important though.
Brand new laptops connecting to secure wifi have zero issues. Existing laptops most have issue auto connecting, you get a prompt advising: "If you expect to find company_secure in this location, go ahead and conenct. Otherwise it may be a different network with the same name. Show certificate details". You can then manually connecting, which must be done on each boot.
Checking the cert above at connection time shows the Clearpass thumbprint. The cert is verified by client via the AD GP settings which enforce this "which is what you want". If I disable the check you can obviously auto connect without the prompt.
So my question is the clearpass & controller server certs are all Sha256 and greater, the intermediate certs (also loaded to servers) are also sha256 and greater the ROOT CA Cert from AddTrust is Sha1 (also loaded to servers) - ROOT CA cert expires 2020. Does the complete chain (including ROOT CA cert) of loaded certificates on Clearpass need to be sha256 or greater?
I mention this as Sha1 was deprecated by Microsoft some years ago and this may be why users with existing laptops get the auto connect prompt. Hacking the laptop registry, deleting windows profile files on C: drive, deleting the wifi adapter and combination of all etc. result in very limited 10% chance of resolution. Not sure why fresh new Windows laptops can connect though. Apple devices have no issues.
Some similar info can be found in below link but it's not conclusive from this thread if server certs are Sha256 and greater but ROOT CA is Sha1 if this issue manifests:
https://social.technet.microsoft.com/Forums/ie/en-US/92c22e0e-5365-448b-bb25-22fc66d76eb1/wlan-wpa2-enterprise-certificate-message-no-autoconnect?forum=win10itpronetworking
I will escalate to TAC if needed.
Regards
Tony