I am a little confuse how this works.
I have a controller and ClearPass. Created service Aruba802.1x template and its working with local user database for tests.
Works ok with IOS and Android.
When we get to windows it fails to connect saying on tracker EAP-PEAP - fatal alert by client unknown_ca
I see that i don't have a CA on windows network. IS it possible to use one in clearpass?
if not waht should i do ? disable certificates on 802.1x?
Sorry , but I am not used to Cpass
I am the installer.
Not the client. We had already installed some with AD and the clients had certificates.
This client does not have the CA on windows server, so for this I am a little confused on planning.
Do I need a CA ? Can't we just not use clearpass certificate?
What are you trying to configure?
Is it EAP-PEAP or TLS?
Did you install a server certificate on ClearPass?
Did you also install the CA that issued the certificate in Clearpass's trust list?
Does the Windows client have "Validate Server Certificate Enabled"?
Here's your options:
If you're supporting BYOD devices without Onboard, you'll need to get a publicly signed certificate.
If you're supporting only managed clients (Group Policy or Profile Manager/MDM), then you can use a self-signed certificate.
If you're using Onboarding for ALL users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.
If you're using Onboarding for ALL user and doing dual SSID onboard, you can use a self-signed or private RADIUS server cert, but you need a public web server certificate.
If you're using Onboarding for some users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.
If you're using Onboarding for some users, and doing dual SSID onboard, you'll need a publicly signed RADIUS and web certificate.
Not using onboard.. no licenses for that.
just Clearpass Policy manager.
The only thing that I have done, was do the integration of clearpass with Aruba via Aruba technote v1.3integration ( in attached)
What I see is that , upon the creation of the service , i suppose no certificate was installed.
Should I install one? IS it possible?
BYOD is working ok connected via 802.1x and certificate.. Windows not.
I only configure the template of service on Clearpass and config the controller reading the technote.
Yes, you should get a publicly signed SSL certificate.
If you are just testing, uncheck "Validate Server Certificate" on your Windows machine. Otherwise you should get a public certificate for your server and upload the CA from that public certificate to the trusted list.
So i should buy a public certificate?
install on windows server and upload to the trust list of Clearpas? I am not using ldap authentication , why do i need the server certificate?
atached the config of the clearpass service
Sorry for behing so dummy on this
You would do a CSR on ClearPass. Purchase the SSL certificate and upload it to ClearPass as the RADIUS server certificate. You don't need to do anything on a Windows server.
Take a look at this slide deck: http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211
So we need to buy a certificate, even though we are not connecting 802.1x to AD.. Correct?
The alternative that is disable the validation in all windows clients is not secure for us or the client
To buy it should be like this certifcate? http://comodo.redalia.es/positivessl/
Buy and then import to Clearpass correct?
Yes, that cert will work.
@cappalli wrote:Yes, that cert will work.
Do you know a certificate free for testing purpose?
Thanks Capalli ;)
I am going to issue a free certificate with Comodo for testing purposes. ( 90 days)
Since I have not yet integrate Clearpass with AD, and for free certificate we need a domain name, what should i do?
The domain at the client internal is xx.local , not accepted to free ssl certificates.
Could i use the the external xx.pt for issuing the certificate? is going to work for tests?
thanks. So if I join Clearpass to AD for later Ad authentication purpose we can use any dns name on the certificate or it should match the . local domain. (clearpass.xx.local)
Always better to use real name I agree.
My only dought was because free ssl does not accept .local.
I assume that if I buy the certificate .local is fine
Did you take a read of my CPPM PKI TechNote, a lot of the Q you have are covered in here + a lot more..!!
CPPM - Certificates 101 Technote V1.2.pdf
I have the Certificate files ( *crt). I need to import them to ClearPass but i did not see any private key file.
How can import this ?
If you did a Cert Request on Clearpass, you would have already downloaded the private key file as part of that...
Please take a look at the Certificate Technote that Danny wrote and mentioned here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184
First let me address to you guys and thank you for or support in this matter. I am not familiarized with certificates and know I have more knowledge on that..
Certificate finally OK , tested with local user on the machine and with local SQL DB authentication
But when I try to connect to 802.1x Wlan , with AD user logged in, client is using AD credential to try to connect.. Normal behaviour for me..
In a AD computer logged in with ad user is it possible to login to WLAN using local user created in clearpass?
I know that in a near future we are going to connect against AD repository..
So if we have 50 users we need to change that on client ( one time only correct)?
Or do the login with AD source.
Just a question, what is the use of Root CA created on the OnBoard if will purchase publicly signed Radius and Web Certificate for BYOD Onboard single SSID.
Sorry, I am new on ClearPass. Thank you in advance.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.