last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass 802.1x certificate

Jump to Best Answer
This thread has been viewed 4 times
  • 1.  Clearpass 802.1x certificate

    Posted Oct 03, 2013 07:55 AM



    I am getting an error while autenticating on windows 7 :


    Access tracker says..

    EAP-PEAP: fatal alert by client - unknown_ca


    This means that i need to have a certificate on Clearpass that is recognised?



    Also I need to know how to create a basic policy to say that if the device is an Iphone it only goes to a guest role ( for example http,https) that is already created on aruba controlller side.


    Could you help



  • 2.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 08:03 AM

    Make sure you upload the entire certificate trust chain (intermediate and Root CA certificates).

  • 3.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 08:26 AM

    This can be a certificate error on the client. The SSID profile is probably not set to trust the correct certificate.


    In the SSID profile on your Windows machine make sure that the Root CA you are using for your ClearPass is checked as the trusted CA.


    Also, depending on what cert you are using for your ClearPass (the Apache server), if it is a commercial cert make sure that the entire trust chain is visible under ClearPass > Configuration > Certificates > Server Certificate


    Check this post. tarnold gave a really nice screen shot of what your server certificate should look like when using a commercial CA.


    Was this device connected using the Onboard process? Or did you manually setup an SSID profile on your Windows?


    As for your Apple device, you can accomplish by using your Role Mappings. Then with your Enforcement Profile you can evaluate the TIPS role and if the TIPS role is equal to [Onboard iOS] then place it into your Guest Role and VLAN. I think there is a screen shot of this in one of your previous posts.

  • 4.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 02:27 PM



    i follow the guide for integrate aruba wireless with clearpass (explending by the way) 


    I assume that the certificate was generated by clearpass himself .


    I need to have a commercial one?


    alternally could I change clearpass 802.1x to not to ask for certificate?


    regarding iphones and android, is there any info on how to implement roles on them ? ( corporte user connects to wlan and because its identified the device as an iphone, goes to a guest role....



    regards and thanks guys ;)












  • 5.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 02:50 PM

    You need to have a commercial CA for ClearPass to correctly Onboard Apple devices when using HTTPS.


    If you do not have a commercial CA the Onboarding of Apple devices will fail.


    On Windows, and Android you don't have to worry what certificate you use.


    This is the certificate for the ClearPass (Apache server)  itself by the way. Not the certificate for the Onboard.


    I am not sure if there is a guide that takes it step by step.


    Simple explanation would be.



    1. Create a  service. Alternatively you can add this functionality to an existing service.
    2. On the 'Roles' tab of your service from the dropdown menu select the default 'Onboard Authorization'. This contains all some basic role mapping rules. You can customize this though to your needs.
    3. Create an Enforcement Policy that evaluated the 'TIPS Role' of the device. The CPPM will have given a TIPS role based on the rules in the role mapping 'Onboard Authorization'.
    4. Then match your Enforcement Policy up with an Enforcement Profile that sends back a RADIUS response with the correct 'User Role' and 'VLAN'. The User Role would be equal to a role that you created on your Aruba controller.

    You can make your Role Mapping rules do just about anything. For instance, Blackberry devices, we created a rule that checks the device from the Endpoint profiles and if the 'OS Family' = 'Blackberry' then we assing it a TIPS role of 'Blackberry' (for instance).


    I believe some of the default template services might give you a good visual representation of what you have to do as well.


    Hopefully this helps a little though.



  • 6.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 02:52 PM

    If you are only doing 802.1X PEAP authentication, not onboarding, and want to use the built-in certificate, you would need to disable server certificate validation in the supplicant settings on each client. (None of this is recommended by the way)



  • 7.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 03:20 PM
    thank you both for help... we are not using onboard.. we only have base policy manager and clearpass guest .. using the embebbed certificate i connect to devices except for windows ones those give can't connect to the network.. since we have several clients, is not secure and efficient to remoe the validation.. But apple devices connect and ask for the. "clearpass certificate" , we accept and then connects ok. so I guess the only way for this to work under windows with security, is to have and install an alternative commercial certificate correct? regards

  • 8.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 03:23 PM
    Either install a commercial cert or if you are in a domain environment,
    use an internal private Certificate Authority that is already trusted by
    the clients.

  • 9.  RE: Clearpass 802.1x certificate

    Posted Oct 03, 2013 03:31 PM

    You could also export the certificate from the CPPM and install it on all your domain machines.

    We had experimented with this initially before we received our commerical CA and it worked well (under Windows).


    But as cappalli suggested if you already have a private CA that is trusted use it!

  • 10.  RE: Clearpass 802.1x certificate
    Best Answer

    Posted Oct 10, 2013 10:28 AM



    Imported ssl certificates from the AD



  • 11.  RE: Clearpass 802.1x certificate

    Posted Dec 30, 2014 08:17 AM

    Hi Cappalli,


    Does exist another way for to by pass the server certificate validation in supplicant setting perhaps with another 802.1x auth method


    my schem :  supplicant -> controller -> cppm (termination)-> AD


    Or a script for configure the "windows" supplicant ?






  • 12.  RE: Clearpass 802.1x certificate

    Posted Dec 30, 2014 08:44 AM
    All tunneled EAP methods require server verification. 

    Are your machines joined to an AD domain? 


  • 13.  RE: Clearpass 802.1x certificate

    Posted Dec 30, 2014 09:47 AM

    Hi Cappalli,


    no i haven't machine in the domain because they are not corporate computers.


    I find a solution, if i configure the RADIUS termination on my controller (as below) and i configure a MSCHAP method auth in Clearpass service (as below).


    And now, the machine have a only one warning message about de and after they can connect.









  • 14.  RE: Clearpass 802.1x certificate

    Posted Dec 30, 2014 09:49 AM

    You should use MS-CHAPv2.


    Using the default controller certificate is not best practice.

  • 15.  RE: Clearpass 802.1x certificate

    Posted Dec 30, 2014 09:54 AM



    I haven't MSCHAP-V2 in the method auth list, i have only EAP-MSCHAPV2 and when I test with it, it's doesn't work, i get a alert message in access tracker : 


    RADIUSCannot select appropriate authentication method