The unknown_ca error does that have 'from server' or 'from client' in it? I assume it is from client.
What I would do:
- (1) Generate the RADIUS Server certificate to be installed on ClearPass from either one of your domain CAs, or even from a different CA. As mentioned, the server certificate and client certificate don't need to be from the same CA, I'd even recommend having them from separate CAs in many cases to avoid confusion.
- Import the root for the certificate issued in the previous step (1) into ALL of your domains and have that added to all of the client's Trusted Root Authorities certificate stores. As mentioned Group Policies or MDM are the obvious ways to do that.
- Configure the clients in all your domain to trust the RADIUS server (select Root CA and radius server name) the same, in first step created, certificate. Again, GPO/MDM are the way to do that.
- Import the root CAs for domain1, domain2, domain3 into the ClearPass Trust List and make sure the certificates are enabled for 'EAP'. You mentioned you already did this.
For unmanaged clients, you can use ClearPass Onboard to do the same configuration.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Dec 09, 2020 09:06 AM
From: Petri Kemppainen
Subject: Clearpass multi domain with EAP-TLS
Hi!
We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done?
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error.
What else this required and is someone succeeded to do this ?
------------------------------
Petri Kemppainen
------------------------------