As a reminder:
- Don't use wildcard certificates as your RADIUS EAP certificate
- Use a private CA for your RADIUS EAP certificates whenever possible
- Use the same RADIUS EAP certficate on all of your ClearPass/RADIUS servers, where the CN or SAN does not need to resolve to anything, so radius.yourdomain.com or auth.yourdomain.com or cppm.you.internal will all work fine.
- Always configure your clients to validate the server certificate
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 04, 2022 06:01 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate
@mattAruba thanks for the info
we reverted to the public certificate and its working again fine . WildCard does not work in windows 10 as you kindly stated , besides it work on IPS and android fine.
Regards
------------------------------
Bruno Costa
Original Message:
Sent: Jan 04, 2022 03:19 PM
From: Mathew George
Subject: Clearpass and windows certifcate
Windows used to NOT support wildcard certificates for dot1x auth. I haven't tested this recently but you can try reverting to a self signed cert and see if that works or not:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=14109
This is documented in the certificates technote available on support site as well.
------------------------------
Mathew George
Original Message:
Sent: Jan 04, 2022 02:50 PM
From: Bruno Costa
Subject: Clearpass and windows certifcate
Hi All
We have a WLAN infrastruture with MM and ClearPAss
we are able to connect to SSID on several devices ( IOS, Android and linux) but on windows 10 it gives an authentication failure
EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error
on windows 10 do we need to change settings on the wlan profile? like validate server certificate?
the certificate on CLearpass is a wildcard
CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB |
|
Can you help ?
------------------------------
Bruno Costa
------------------------------