Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

ClearPass OnBoarding - TLS error

  • 1.  ClearPass OnBoarding - TLS error

    Posted Oct 10, 2013 05:20 AM

    I am trying to setup ClearPass OnBoarding for Windows laptops to push a wireless profile for 802.1x authentication via EAP-TLS. I configured a provisioning profile and the provisioning settings. The Windows laptop can connect to the OnBoarding page and the QuickConnect client is executed. It seems that the provisioning is successful, because I see new certificates in the user and computer certificate store and a wireless connection profile is available.

     

    When I try to connect to the 802.1x secure wireless network, I receive the following error message in the CPPM Access Tracker: EAP-TLS: fatal alert by client - access_denied

     

    This error is caused by the Validate server certificate option within the wireless profile. I am using ClearPass as CA and the correct intermediate and root certificates are pushed to the client and are checked within the wireless network profile.

     

    As soon as I manually disable the check to Validate server certificate, the Windows laptop connects without any problems. I guess the problem is located in the Trust configuration of the wired network configuration in ClearPass Guest. Is someone familiar with this problem?



  • 2.  RE: ClearPass OnBoarding - TLS error

    Posted Oct 10, 2013 03:32 PM
    This error is related to the CA cert not being trusted. You need to ensure that the trust chain is complete. You can check this by opening the cert and checking the entire chain is there


  • 3.  RE: ClearPass OnBoarding - TLS error

    Posted Oct 10, 2013 05:10 PM
      |   view attached

    Do you know how I can check this, so I know that I am 100% sure the chain is correct. I checked the certificate under OnBoard + Workspace - Initial Setup - Certificate Authorities (see attachment). They seem to be correct, because they are the default Aruba certificates.

     

    The webserver certificate (a wildcard certificate) is also correct, because I can access the ClearPass website without a certificate warning.



  • 4.  RE: ClearPass OnBoarding - TLS error

    Posted Oct 10, 2013 06:39 PM
    Can you temporarily replace the server cert signed by the onboard Ca. I think the EAP cert you are using for EAP termination is not signed by the onboard Ca.


  • 5.  RE: ClearPass OnBoarding - TLS error

    Posted Jul 28, 2015 08:44 AM

    He Admins, I have the same issue. What was the soltuion? I use a public wildcard cert from a public CA Thawte, but it is not trusted by Windows Clients.



  • 6.  RE: ClearPass OnBoarding - TLS error

    Posted Aug 09, 2015 09:49 AM
    The solution is that you cannot use a wildcard certificate for RADIUS. Microsoft does not allow this.