There have been (at least historically) issues with Windows devices and wildcard certificates for EAP. As nearly every network needs to support Windows clients, it has been a no-go and probably nobody tested anymore as you probably don't want to risk this.
Public certificates are not recommended for EAP because there is no benefit having a public certificate. For HTTPS you can automatically accept the certificate by linking it to the URL (hostname) you type in your browser. For 802.1X, there is no such identifier, on wired there is not even an SSID name, on wireless anyone can pick any SSID name, which means end user would need to make the decision if they trust a certificate and you probably know what they do if there is any security pop-up. The major issue with a public certificate for EAP is that these days public certs cannot he requested for a longer period than one year. You will need to roll-over your RADIUS certificate every year, but most important is that public CAs roll-over as well. So there is no guarantee that you can still get a certificate from the same public CA in a year from now. If you can't at that point, you have an issue as moving to another CA means potentially touching every client. With a private CA you control the validity of your CA, as well the issued certificates. Public CAs are under much higher restrictions.
I know customers that run on public certs, and it works, but I have seen customers forced in reprovisioning procedures as well, where you don't want to be.
Recommended for EAP is a long-running (multi-year) server certificate from a private CA. And use some kind of provisioning method to get the root and supplicant config in your client. AD GPO/Intune/other MDM for managed clients, for unmanaged/BYOD clients have a look at Onboard.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: May 21, 2021 03:37 AM
From: ROMEO VANDEWYNCKEL
Subject: clearpass ad azure
Hi,
Thank you Michael,
Can we use wildcard public certificat as radius certificat ?
I always heard that is not recommended but I don't know really why.
I asked scepman support for this issues. (for generate certificate for a device out intune)
------------------------------
ROMEO VANDEWYNCKEL
Original Message:
Sent: May 20, 2021 08:14 AM
From: Michael Holden
Subject: clearpass ad azure
You can push the RADIUS Certificate chain via the device profile.
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root
You may want to check on SCEPman, Tim C put us onto this one. It allows you to use Azure KeyVault to distribute the Client certificates so you can do EAP-TLS without maintaining a CA on prem. You will still have to use a device management policy to push the root /enterprise CA that the KeyVault Intermediate CA cert will be based on.
You can do this with an offline root, and even create the root and Intermediate certs with OpenSSL on just about any machine, though a standard CA would make things much easier than wading through the OpenSSL Config file if your not used to it.
------------------------------
Michael Holden
Original Message:
Sent: May 19, 2021 11:44 AM
From: ROMEO VANDEWYNCKEL
Subject: clearpass ad azure
Hi,
Yes I understand and I agree with you.
I hoped to do all certificates configuration into AZURE / INTUNE only.
I chose scepman to manage certificate (as it mentioned to the video) in azure and its seem that I can't generate certificate for a specific device (in my case CPPM) who is not part to intune.
So I'm looking for an other way to do this.
If someone already did this..
Thank you
------------------------------
ROMEO VANDEWYNCKEL
Original Message:
Sent: May 19, 2021 10:18 AM
From: Herman Robers
Subject: clearpass ad azure
Romeo,
Before you deploy 802.1X it is important to get a RADIUS Certificate installed on the ClearPass server. For this RADIUS certificate, it is recommended to have it issued by a private CA, and your Enterprise CA (if you have one), or the CA that issues your client certificates may be a good candidate, or as a last resort, you could use ClearPass Onboard to create a new Root CA and issue a RADIUS certificate from there.
The root that signed the ClearPass RADIUS certificate needs to be pushed to your clients (in addition to other CAs that may be needed), and it needs to be set as trusted for 802.1X. Intune can help with that, and I think the Airheads video does that as well, but you may not have realized what is happening and why.
This video (the end shows the same error you have), and the follow-up video will show you how to request the RADIUS cert from a Microsoft Enterprise CA.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: May 19, 2021 09:03 AM
From: ROMEO VANDEWYNCKEL
Subject: clearpass ad azure
Hi,
We try to configure 802.1x authentication for computers managed by intune in azure with clearpass.
We followed severals videos on youtube proposed by airheads (https://www.youtube.com/watch?v=MlcrqTDDufU) and configured clearpass.
We have an issue, computers can't connect to network because they don't have the CA ROOT.
Error codes :
[Endpoints Repository] - localhost: User not found.
EAP-TLS: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session
It seems that clients don't have valid ca. We provide ca root and machine certificat via intune and scepman.
But our clearpass don't have a certificat installed delivry by this ca root, I think it's that issue.
In the video, the speaker added the ca root in trust list of clearpass and it's enough to authenticate clients. For us this don't work.
Has anyone succeed to configure this ? and how ?
Thank you,
Romeo
------------------------------
ROMEO VANDEWYNCKEL
------------------------------