Hi
What version of Windows do you have on the clients?
There are some changes in how the validation of the certificate is done in different versions of Windows and some Windows 11 updates. To be compliant with most versions today provide the name(s) found in the RADIUS certificate and also check the checkbox "Do not prompt the user..."
The screenshot below is from Windows 11 23H2 with EAP-TLS.
One version of Windows 11 had case sensitive validation of the name in the certificate, all other are not case sensitive.
On this link you can get more information about how Windows validates the RADIUS certificate:
https://learn.microsoft.com/en-us/windows-server/networking/technologies/extensible-authentication-protocol/windows-11-changes
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Nov 12, 2024 04:44 AM
From: hudaya1991
Subject: certificate radius for global trust device
Dear @GorazdKikelj ,
thanks for your response,
i'm already found the documentation for user acknowledgment.
Thankyou
------------------------------
Regards,
Hudaya
ACCP, ATP, ACP-CA
Original Message:
Sent: Nov 11, 2024 07:11 AM
From: Gorazd Kikelj
Subject: certificate radius for global trust device
Hi.
For RADIUS you can't use wildcard cert. You need to have dedicated certificate and you need to include SANs field with IP addresses and DNS names for all Clearpass servers in the cluster, if you would like to use single certificate for RADIUS.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Nov 11, 2024 05:37 AM
From: hudaya1991
Subject: certificate radius for global trust device
Dear All,
currently on our environment we have .1x configuration with clearpass,
we do not have issue for mac/IOS/android, but several windows need to manually invalidate for "validate server certificate"
we are already inject ssl digicert to clearpass, but its wildcard,
are we have the documentation about what type of certificate that should be injected to clearpass so we shouldn't uncheck the "validate of server" on windows laptop ?
------------------------------
Regards,
Hudaya
ACCP, ATP, ACP-CA
------------------------------