Security

Hi All

We have a WLAN infrastruture with MM  and ClearPAss 

we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

on windows 10 do we need to change settings on the wlan profile? like validate server certificate?

the certificate on CLearpass is a wildcard

CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB

Can you help ?






------------------------------
Bruno Costa
------------------------------

Windows used to NOT support wildcard certificates for dot1x auth. I haven't tested this recently but you can try reverting to a self signed cert and see if that works or not:

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=14109

This is documented in the certificates technote available on support site as well.

------------------------------
Mathew George
------------------------------

Original Message:
Sent: Jan 04, 2022 02:50 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate

Hi All

We have a WLAN infrastruture with MM  and ClearPAss 

we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

on windows 10 do we need to change settings on the wlan profile? like validate server certificate?

the certificate on CLearpass is a wildcard

CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB

Can you help ?






------------------------------
Bruno Costa
------------------------------

@mattAruba thanks for the info

we reverted to the public certificate and its working again fine . WildCard does not work in windows 10 as you kindly stated , besides it work on IPS and android fine.

Regards​

------------------------------
Bruno Costa
------------------------------

Original Message:
Sent: Jan 04, 2022 03:19 PM
From: Mathew George
Subject: Clearpass and windows certifcate

Windows used to NOT support wildcard certificates for dot1x auth. I haven't tested this recently but you can try reverting to a self signed cert and see if that works or not:

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=14109

This is documented in the certificates technote available on support site as well.

------------------------------
Mathew George

Original Message:
Sent: Jan 04, 2022 02:50 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate

Hi All

We have a WLAN infrastruture with MM  and ClearPAss 

we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

on windows 10 do we need to change settings on the wlan profile? like validate server certificate?

the certificate on CLearpass is a wildcard

CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB

Can you help ?






------------------------------
Bruno Costa
------------------------------

As a reminder:
- Don't use wildcard certificates as your RADIUS EAP certificate
- Use a private CA for your RADIUS EAP certificates whenever possible
- Use the same RADIUS EAP certficate on all of your ClearPass/RADIUS servers, where the CN or SAN does not need to resolve to anything, so radius.yourdomain.com or auth.yourdomain.com or cppm.you.internal will all work fine.
- Always configure your clients to validate the server certificate

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 04, 2022 06:01 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate

@mattAruba thanks for the info

we reverted to the public certificate and its working again fine . WildCard does not work in windows 10 as you kindly stated , besides it work on IPS and android fine.

Regards​

------------------------------
Bruno Costa

Original Message:
Sent: Jan 04, 2022 03:19 PM
From: Mathew George
Subject: Clearpass and windows certifcate

Windows used to NOT support wildcard certificates for dot1x auth. I haven't tested this recently but you can try reverting to a self signed cert and see if that works or not:

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=14109

This is documented in the certificates technote available on support site as well.

------------------------------
Mathew George

Original Message:
Sent: Jan 04, 2022 02:50 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate

Hi All

We have a WLAN infrastruture with MM  and ClearPAss 

we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

on windows 10 do we need to change settings on the wlan profile? like validate server certificate?

the certificate on CLearpass is a wildcard

CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB

Can you help ?






------------------------------
Bruno Costa
------------------------------