Security

Does anyone know where I need to look to solve this problem?

Issue:

Context:

• New PKI has been set up with root CA and issuing CA
• Issuing CA has issued a certificate to the first test Windows 11 PC
• The root CA cert has been installed in PC's Trusted Root Certification Authorities - Certificates folder
• The issuing CA cert has been installed in PC's Intermediate Certification Authorities - Certificates folder. The root CA cert also shows under here. 
• The CPPM RADIUS server's certificate is issued by a different CA. This different root CA issued the cert directly to ClearPass, and that root CA's certificate has been installed in the PC's trusted root. We are migrating from one CA to another. 
• Root and issuing CA certs have both been installed on ClearPass under Administration -> Certificates -> Trust List, usage is showing as EAP

You must have an issue with the last step... the message EAP-TLS: fatal alert by server - unknown_ca has two important pieces of information:

• The ClearPass server does not trust the client certificate
• Reason for not trusting is that the issuing CA is not trusted by ClearPass (Trust List).

I would double-check that the client certificate that is used by the client (if it has multiple certificates, it may pick the wrong one) and that the Client CA/PKI is added, enabled and has (at least) been enabled for EAP.

Does anyone know where I need to look to solve this problem?

Issue:

Context:

• New PKI has been set up with root CA and issuing CA
• Issuing CA has issued a certificate to the first test Windows 11 PC
• The root CA cert has been installed in PC's Trusted Root Certification Authorities - Certificates folder
• The issuing CA cert has been installed in PC's Intermediate Certification Authorities - Certificates folder. The root CA cert also shows under here. 
• The CPPM RADIUS server's certificate is issued by a different CA. This different root CA issued the cert directly to ClearPass, and that root CA's certificate has been installed in the PC's trusted root. We are migrating from one CA to another. 
• Root and issuing CA certs have both been installed on ClearPass under Administration -> Certificates -> Trust List, usage is showing as EAP

On the PC under the computer account, it only has 1 certificate. I tried exporting the root and issuing ca certificates out of the PC's client certificate which is an identical copy of the certificate downloaded directly from the CA, and it shows the following:

You must have an issue with the last step... the message EAP-TLS: fatal alert by server - unknown_ca has two important pieces of information:

• The ClearPass server does not trust the client certificate
• Reason for not trusting is that the issuing CA is not trusted by ClearPass (Trust List).

I would double-check that the client certificate that is used by the client (if it has multiple certificates, it may pick the wrong one) and that the Client CA/PKI is added, enabled and has (at least) been enabled for EAP.

Does anyone know where I need to look to solve this problem?

Issue:

Context:

• New PKI has been set up with root CA and issuing CA
• Issuing CA has issued a certificate to the first test Windows 11 PC
• The root CA cert has been installed in PC's Trusted Root Certification Authorities - Certificates folder
• The issuing CA cert has been installed in PC's Intermediate Certification Authorities - Certificates folder. The root CA cert also shows under here. 
• The CPPM RADIUS server's certificate is issued by a different CA. This different root CA issued the cert directly to ClearPass, and that root CA's certificate has been installed in the PC's trusted root. We are migrating from one CA to another. 
• Root and issuing CA certs have both been installed on ClearPass under Administration -> Certificates -> Trust List, usage is showing as EAP