Security

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------

Hi,

from where do you get those logs?

Radius: EAP-PEAP: fatal alert by client- unknow ca

This indicates that some trusts are not established. I would assume, that your client (pixel phone) does not trust your radius server certificate.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de
------------------------------

Original Message:
Sent: Sep 07, 2021 02:02 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------

Thank you for your reply. 

Is there any way to resolve it  such that Google Pixel device will trust our certificate and will allow the connection ?

Many thinks.

Kind regards,
Binod

------------------------------
Binod Ranabhat
------------------------------

Original Message:
Sent: Sep 07, 2021 02:34 AM
From: Florian Baaske
Subject: Connecting to Aruba-wifi Google Pixel

Hi,

from where do you get those logs?

Radius: EAP-PEAP: fatal alert by client- unknow ca

This indicates that some trusts are not established. I would assume, that your client (pixel phone) does not trust your radius server certificate.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Sep 07, 2021 02:02 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------

You will need to deploy the Root CA that issued your ClearPass EAP/RADIUS certificate to the Android device, and select that as Trusted certificate in the configuration.

Best to use Device Management (MDM/EMM) for that. Also best to avoid PEAP/MSCHAPv2 as it introduces risks if you don't fully control and harden your clients.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 07, 2021 09:31 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Thank you for your reply. 

Is there any way to resolve it  such that Google Pixel device will trust our certificate and will allow the connection ?

Many thinks.

Kind regards,
Binod

------------------------------
Binod Ranabhat

Original Message:
Sent: Sep 07, 2021 02:34 AM
From: Florian Baaske
Subject: Connecting to Aruba-wifi Google Pixel

Hi,

from where do you get those logs?

Radius: EAP-PEAP: fatal alert by client- unknow ca

This indicates that some trusts are not established. I would assume, that your client (pixel phone) does not trust your radius server certificate.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Sep 07, 2021 02:02 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------

Thank you Herman.

Is that the Root CA issued by Domain CA server or Radius server  certificate, that we need to install on the device ?

Please let me know..I am bit new in this area.

Many Thanks.

Kind regards,
Binod

------------------------------
Binod Ranabhat
------------------------------

Original Message:
Sent: Sep 07, 2021 09:49 AM
From: Herman Robers
Subject: Connecting to Aruba-wifi Google Pixel

You will need to deploy the Root CA that issued your ClearPass EAP/RADIUS certificate to the Android device, and select that as Trusted certificate in the configuration.

Best to use Device Management (MDM/EMM) for that. Also best to avoid PEAP/MSCHAPv2 as it introduces risks if you don't fully control and harden your clients.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 09:31 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Thank you for your reply. 

Is there any way to resolve it  such that Google Pixel device will trust our certificate and will allow the connection ?

Many thinks.

Kind regards,
Binod

------------------------------
Binod Ranabhat

Original Message:
Sent: Sep 07, 2021 02:34 AM
From: Florian Baaske
Subject: Connecting to Aruba-wifi Google Pixel

Hi,

from where do you get those logs?

Radius: EAP-PEAP: fatal alert by client- unknow ca

This indicates that some trusts are not established. I would assume, that your client (pixel phone) does not trust your radius server certificate.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Sep 07, 2021 02:02 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------

If you check in ClearPass the certificate installed for EAP/RADIUS, follow the path to the Root CA that issued that certificate, that is the one you need to install on your client devices for the trust.

In the case your RADIUS certificate was issued by AD Certificate Services, that is RootCA of your AD CS; and you had to install that in the ClearPass Trust list as well to get the EAP/RADIUS certificate installed, so you can export it from there, if needed.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 09, 2021 04:12 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Thank you Herman.

Is that the Root CA issued by Domain CA server or Radius server  certificate, that we need to install on the device ?

Please let me know..I am bit new in this area.

Many Thanks.

Kind regards,
Binod

------------------------------
Binod Ranabhat

Original Message:
Sent: Sep 07, 2021 09:49 AM
From: Herman Robers
Subject: Connecting to Aruba-wifi Google Pixel

You will need to deploy the Root CA that issued your ClearPass EAP/RADIUS certificate to the Android device, and select that as Trusted certificate in the configuration.

Best to use Device Management (MDM/EMM) for that. Also best to avoid PEAP/MSCHAPv2 as it introduces risks if you don't fully control and harden your clients.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 07, 2021 09:31 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Thank you for your reply. 

Is there any way to resolve it  such that Google Pixel device will trust our certificate and will allow the connection ?

Many thinks.

Kind regards,
Binod

------------------------------
Binod Ranabhat

Original Message:
Sent: Sep 07, 2021 02:34 AM
From: Florian Baaske
Subject: Connecting to Aruba-wifi Google Pixel

Hi,

from where do you get those logs?

Radius: EAP-PEAP: fatal alert by client- unknow ca

This indicates that some trusts are not established. I would assume, that your client (pixel phone) does not trust your radius server certificate.

------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ
-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de

Original Message:
Sent: Sep 07, 2021 02:02 AM
From: Binod Ranabhat
Subject: Connecting to Aruba-wifi Google Pixel

Hi, 

Wifi in our environment is working for all, but one user with Google pixel couldn't connect even if the user membership and call are ok.

Error Code: 215
Error Category: Authentication failure (domain username and password are entered correctly)

Error messagge:TLS session error

Radius: EAP-PEAP: fatal alert by client- unknow ca
ERROR in establishing TLS session...

Any suggestion , advice ? 

Many thanks,
Binod

------------------------------
Binod Ranabhat
------------------------------