Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass and windows certifcate

This thread has been viewed 32 times
  • 1.  Clearpass and windows certifcate

    Posted Jan 04, 2022 02:51 PM
    Hi All

    We have a WLAN infrastruture with MM  and ClearPAss 

    we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure

    EAP-PEAP: fatal alert by client - access_denied
    TLS session reuse error

    on windows 10 do we need to change settings on the wlan profile? like validate server certificate?

    the certificate on CLearpass is a wildcard

    CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB

    Can you help ?






    ------------------------------
    Bruno Costa
    ------------------------------


  • 2.  RE: Clearpass and windows certifcate

    EMPLOYEE
    Posted Jan 04, 2022 03:19 PM
    Windows used to NOT support wildcard certificates for dot1x auth. I haven't tested this recently but you can try reverting to a self signed cert and see if that works or not:

    https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=14109

    This is documented in the certificates technote available on support site as well.

    ------------------------------
    Mathew George
    ------------------------------



  • 3.  RE: Clearpass and windows certifcate

    Posted Jan 04, 2022 06:01 PM
    @mattAruba thanks for the info

    we reverted to the public certificate and its working again fine . WildCard does not work in windows 10 as you kindly stated , besides it work on IPS and android fine.

    Regards​

    ------------------------------
    Bruno Costa
    ------------------------------



  • 4.  RE: Clearpass and windows certifcate

    EMPLOYEE
    Posted Jan 05, 2022 05:51 AM
    As a reminder:
    - Don't use wildcard certificates as your RADIUS EAP certificate
    - Use a private CA for your RADIUS EAP certificates whenever possible
    - Use the same RADIUS EAP certficate on all of your ClearPass/RADIUS servers, where the CN or SAN does not need to resolve to anything, so radius.yourdomain.com or auth.yourdomain.com or cppm.you.internal will all work fine.
    - Always configure your clients to validate the server certificate

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------