last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass and 3 different AD servers EAP-TLS

  • 1.  Clearpass and 3 different AD servers EAP-TLS

    Posted 10 days ago

    I'm trying to implement Clearpass with 3 different AD's with EAP-TLS
    All running PKI and have users/computers. All 3 different AD's computers should be able to authenticate using same CP.

    AD servers are 

    I have created certificate for Clearpass in AD1.TEST.COM
    Imported all AD servers root certs to trusted list on Clearpass
    Client that belongs to AD2.TEST.COM has 802.1x settings correctly for EAP-TLS and machine cert and root cert from AD2.TEST.COM installed. I have modified EAP-TLS so no certificate comparison and no Authorization Required

    It doesn't work, error message is

    RADIUS EAP-TLS: fatal alert by server - unknown_ca
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

    What is the right way to do it?

    Thank you for your help.

    Best regards. 


  • 2.  RE: Clearpass and 3 different AD servers EAP-TLS

    Posted 9 days ago
    Hi Joakim,

    from my point of view, it looks like the client does not trust the radius certificate. My understanding is, that you gave clearpass a radius certificate from the Clients in and will not trust this certificate. You need to install the root ca from the in those clients.

    Florian Baaske

  • 3.  RE: Clearpass and 3 different AD servers EAP-TLS

    Posted 9 days ago
    The message tells: "fatal alert by server", which indicates that ClearPass (=server) does not trust the client certificate from the client (in AD2).

    Can you double-check that the certificate installed to that client is issued by the correct CA (probably CA2, but another CA would be acceptable as well as long as that is trusted in ClearPass), that you have imported and enabled that CA, at least for EAP, in the ClearPass Trust List? As well if you have intermediate certificates in the client certificate, that those are imported and enabled for EAP as well?

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check for how to contact Aruba TAC.