Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass 802.1x template unknown_CA

Jump to Best Answer
  • 1.  Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 11:01 AM
      |   view attached

    Hi Guys,

     

    I am a little confuse how this works.

     

    I have a controller and ClearPass. Created service Aruba802.1x template and its working with local user database for tests.

     

    Works ok with IOS and Android.

    When we get to windows it fails to connect saying on tracker EAP-PEAP - fatal alert by client unknown_ca

     

     I see that i don't have a CA on windows network. IS it possible to use one in clearpass?

    if not waht should i do ? disable certificates on 802.1x?

     

    Sorry , but I am not used to Cpass

     

    Regards

    Attachment(s)

    docx
    unknown_CA.docx   2.15 MB 1 version


  • 2.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 11:04 AM
    That's likely because it's using the self-signed certificate that comes out
    of the box.



    Do you have an Aruba partner? There is a bit of planning around certs and
    authentication methods that should happen before you deploy.


  • 3.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 11:31 AM

    I am the installer.

     

    Not the client. We had already installed some with AD and the clients had certificates.

     

    This client does not have the CA on windows server, so for this I am a little confused on planning.

     

    Do I need a CA ? Can't we just not use clearpass certificate? 

     

    Regards

     



  • 4.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 11:35 AM

    Beconnect,

     

    What are you trying to configure?

    Is it EAP-PEAP or TLS?

    Did you install a server certificate on ClearPass?

    Did you also install the CA that issued the certificate in Clearpass's trust list?

    Does the Windows client have "Validate Server Certificate Enabled"?

     



  • 5.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 11:42 AM

    Here's your options:

     

    If you're supporting BYOD devices without Onboard, you'll need to get a publicly signed certificate.

     

    If you're supporting only managed clients (Group Policy or Profile Manager/MDM), then you can use a self-signed certificate.

     

    If you're using Onboarding for ALL users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

     

    If you're using Onboarding for ALL user and doing dual SSID onboard, you can use a self-signed or private RADIUS server cert, but you need a public web server certificate.

     

    If you're using Onboarding for some users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

     

    If you're using Onboarding for some users, and doing dual SSID onboard, you'll need a publicly signed RADIUS and web certificate.



  • 6.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 12:33 PM
      |   view attached

    Hi guys,

     

    Not using onboard.. no licenses for that.

     

    just Clearpass Policy manager.

     

    The only thing that I have done, was do the integration of clearpass with Aruba via Aruba technote v1.3integration ( in attached)

     

    What I see is that , upon the creation of the service , i suppose no certificate was installed.

     

    Should I install one? IS it possible?

     

    BYOD is working ok connected via 802.1x and certificate.. Windows not.

     

    I only configure the template of service on Clearpass and config the controller reading the technote.

    Regards

     

     

     



  • 7.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 12:34 PM

    Yes, you should get a publicly signed SSL certificate.



  • 8.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 12:35 PM

    If you are just testing, uncheck "Validate Server Certificate" on your Windows machine.  Otherwise you should get a public certificate for your server and upload the CA from that public certificate to the trusted list.



  • 9.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 12:40 PM

    Guys,

     

    So i should buy a public certificate?

     

    install on windows server and upload to the trust list of Clearpas?  I am not using ldap authentication , why do i need the server certificate?

     

    atached the config of the clearpass service

     

    Sorry for behing so dummy on this

     

    Regards



  • 10.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 04, 2015 12:41 PM

    You would do a CSR on ClearPass. Purchase the SSL certificate and upload it to ClearPass as the RADIUS server certificate. You don't need to do anything on a Windows server.

     

    Take a look at this slide deck: http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211

     



  • 11.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 07, 2015 10:59 AM

    Hi Guys

     

    So we need to buy a certificate, even though we are not connecting 802.1x to AD.. Correct?

     

    The alternative that is disable the validation in all windows clients is not secure for us or the client

     

    To buy it should be like this certifcate? http://comodo.redalia.es/positivessl/

     

    Buy and then import to Clearpass correct?

     

    Regards

     

     

     

     

     



  • 12.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 07, 2015 11:01 AM

    Yes, that cert will work.



  • 13.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 07, 2015 11:12 AM

    @cappalli wrote:

    Yes, that cert will work.


    Hi,

     

    Do you know a certificate free for testing purpose?

     

    Regards



  • 14.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 07, 2015 11:26 AM


  • 15.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 07, 2015 11:35 AM


  • 16.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 08:12 AM

    Hi,

     

    I am going to issue a free certificate  with Comodo for testing purposes. ( 90 days)

    Since I have not yet integrate Clearpass with AD, and for free certificate we need a domain name, what should i do?

     

    The domain at the client internal is xx.local , not accepted to free ssl certificates.

     

    Could i use the the external xx.pt for issuing the certificate? is going to work for tests?

     

    thanks

     

    regards



  • 17.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 08:20 AM
    For RADIUS, you can use any DNS name that you want.

    If you'd like this cert to also be used for the web GUI of ClearPass, then it should match the DNS name of ClearPass.

    Sent from Nine


  • 18.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 08:25 AM

    OK

     

    thanks. So if I join Clearpass to AD for later Ad authentication purpose we can use any dns name on the certificate or it should match the . local domain. (clearpass.xx.local)

     

    Regards



  • 19.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 08:33 AM
    Well, you'll want to access GUI via a real domain name or you'll get a certificate error. Not a huge deal for admin use but if you end up using guest, you'll need to use a real DNS entry.

    Sent from Nine


  • 20.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 08:47 AM

    Always better to use real name I agree.

     

    My only dought was because free ssl does not accept .local.

     

    I assume that if I buy the certificate .local is fine

     

    Thanks



  • 21.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 01:24 PM
    Public CAs will only issue certificates to real domain names that you have
    proved that you own.


  • 22.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 11, 2015 02:36 PM

    Bruno,

     

    Did you take a read of my CPPM PKI TechNote, a lot of the Q you have are covered in here + a lot more..!!

     

    CPPM - Certificates 101 Technote V1.2.pdf



  • 23.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 17, 2015 06:26 AM

    Hi team,

     

    I have the Certificate files ( *crt). I need to import them to ClearPass but i did not see any private key file.

     

    How can import this ?

     

    Regards



  • 24.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 17, 2015 06:27 AM

    If you did a Cert Request on Clearpass, you would have already downloaded the private key file as part of that...

     



  • 25.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 17, 2015 06:35 AM

    Please take a look at the Certificate Technote that Danny wrote and mentioned here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

     



  • 26.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 21, 2015 07:38 AM

    Hi

    First let me address to you guys and thank you for or support in this matter. I am not familiarized with certificates and know I have more knowledge on that..

     

    Certificate finally OK , tested with local user on the machine and with local SQL DB authentication

     

    But when I try to connect to 802.1x Wlan , with AD user logged in, client is using AD credential to try to connect.. Normal behaviour for me..

     

    In a AD computer logged in with ad user is it possible to login to WLAN using local user created in clearpass?

     

    I know that in a near future we are going to connect against AD repository..

     

    Regards



  • 27.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 21, 2015 07:52 AM
    You would need to uncheck "Use Windows credentials" in the Protected EAP settings on the client.

    Sent from Nine


  • 28.  RE: Clearpass 802.1x template unknown_CA

    Posted Dec 21, 2015 07:57 AM

    Ok.

     

    So if we have 50 users we need to change that on client ( one time only correct)?

     

    Or do the login with AD source.

     

    Thanks



  • 29.  RE: Clearpass 802.1x template unknown_CA
    Best Answer

    Posted Dec 21, 2015 07:59 AM
    It's a client setting. You could also change it via group policy.

    Sent from Nine


  • 30.  RE: Clearpass 802.1x template unknown_CA

    Posted Oct 24, 2017 03:19 AM

    Hi Sir,

     

    Just a question, what is the use of Root CA created on the OnBoard if will purchase publicly signed Radius and Web Certificate for BYOD Onboard single SSID.

     

    Sorry, I am new on ClearPass. Thank you in advance.



  • 31.  RE: Clearpass 802.1x template unknown_CA

    Posted Oct 24, 2017 07:49 AM
    The Onboard CA signs client certificates. The HTTPS and EAP certificates are server certificates.