Security

Hello All,

I have been researching your forums for awhile, and I BELIEVE I know what my problem is, but since I am going to be stuck cycling with support looking for options I thought I would ask a question and make sure I understand this process. Here is the background:

• We just started with Clearpass.
• We have a self hosted, on-prem CA - issuing computer and client certificates to our windows laptops & desktops which works well. 
• We have an MDM solution but it has no native integrations with Clearpass.
• We have office 365 but don't have any Entra P1 / P2 level licenses. 

I was able to issue a certificate to our iPads through our MDM solution using Okta as the certificate server. I installed the certificate that Okta says authenticates this client cert (though it is labeled as an intermediate cert) into the 'Trust List' in ClearPass.

I am getting this error:

Based on many of the same error posts answered by Herman, I have gone back to be sure the certificate the iPad is using is indeed the certificate issued by Okta, which it is as well as making sure the intermediate cert has usage of 'EAP' (also added RadSec for testing).

When I generate the certificate on the iPad I am using a SCEP server connection to create and deploy the cert so I am wondering if I perhaps requested the certificate with the wrong information that somehow doesn't match the Okta Intermediate cert (I have to fill the requesting info out through a plist file), or if I need the root cert or next cert in their cert chain to properly validate my client cert. I am unsure how to test further while I wait for Okta support to return my ticket asking for the next cert in the chain. 

I'm also open to other recommendations if I am doing something 'the hard way'.

Thanks for reading!

Yes you would need the Okta Client CA Root certificate (plus additional intermediates if applicable). Normally speaking such a certificate chain would/should be available from the CA.

If you can't find it... Maybe, if you can enroll a Windows client with a client certificate from the same CA, and if you are lucky the intermediate and root are also installed to that client. From a Windows client, it's easier to export the required certificate.

fatal alert by server - unknown_ca means that the client certificate cannot be verified up to the RootCA, which needs to be in the ClearPass Trust List.

Hello All,

I have been researching your forums for awhile, and I BELIEVE I know what my problem is, but since I am going to be stuck cycling with support looking for options I thought I would ask a question and make sure I understand this process. Here is the background:

• We just started with Clearpass.
• We have a self hosted, on-prem CA - issuing computer and client certificates to our windows laptops & desktops which works well. 
• We have an MDM solution but it has no native integrations with Clearpass.
• We have office 365 but don't have any Entra P1 / P2 level licenses. 

I was able to issue a certificate to our iPads through our MDM solution using Okta as the certificate server. I installed the certificate that Okta says authenticates this client cert (though it is labeled as an intermediate cert) into the 'Trust List' in ClearPass.

I am getting this error:

Based on many of the same error posts answered by Herman, I have gone back to be sure the certificate the iPad is using is indeed the certificate issued by Okta, which it is as well as making sure the intermediate cert has usage of 'EAP' (also added RadSec for testing).

When I generate the certificate on the iPad I am using a SCEP server connection to create and deploy the cert so I am wondering if I perhaps requested the certificate with the wrong information that somehow doesn't match the Okta Intermediate cert (I have to fill the requesting info out through a plist file), or if I need the root cert or next cert in their cert chain to properly validate my client cert. I am unsure how to test further while I wait for Okta support to return my ticket asking for the next cert in the chain. 

I'm also open to other recommendations if I am doing something 'the hard way'.

Thanks for reading!

Thank you Herman. I was hoping it was my mistake so I could take more direct actions in the fix. I tried a little to create a windows cert but haven't had success yet. I am hoping Okta can point me in the right direction.

Yes you would need the Okta Client CA Root certificate (plus additional intermediates if applicable). Normally speaking such a certificate chain would/should be available from the CA.

If you can't find it... Maybe, if you can enroll a Windows client with a client certificate from the same CA, and if you are lucky the intermediate and root are also installed to that client. From a Windows client, it's easier to export the required certificate.

fatal alert by server - unknown_ca means that the client certificate cannot be verified up to the RootCA, which needs to be in the ClearPass Trust List.

Hello All,

I have been researching your forums for awhile, and I BELIEVE I know what my problem is, but since I am going to be stuck cycling with support looking for options I thought I would ask a question and make sure I understand this process. Here is the background:

• We just started with Clearpass.
• We have a self hosted, on-prem CA - issuing computer and client certificates to our windows laptops & desktops which works well. 
• We have an MDM solution but it has no native integrations with Clearpass.
• We have office 365 but don't have any Entra P1 / P2 level licenses. 

I was able to issue a certificate to our iPads through our MDM solution using Okta as the certificate server. I installed the certificate that Okta says authenticates this client cert (though it is labeled as an intermediate cert) into the 'Trust List' in ClearPass.

I am getting this error:

Based on many of the same error posts answered by Herman, I have gone back to be sure the certificate the iPad is using is indeed the certificate issued by Okta, which it is as well as making sure the intermediate cert has usage of 'EAP' (also added RadSec for testing).

When I generate the certificate on the iPad I am using a SCEP server connection to create and deploy the cert so I am wondering if I perhaps requested the certificate with the wrong information that somehow doesn't match the Okta Intermediate cert (I have to fill the requesting info out through a plist file), or if I need the root cert or next cert in their cert chain to properly validate my client cert. I am unsure how to test further while I wait for Okta support to return my ticket asking for the next cert in the chain. 

I'm also open to other recommendations if I am doing something 'the hard way'.

Thanks for reading!

I will follow up in case someone happens to stumble across this searching for something similar. I just spoke with Okta and, even though I successfully issued a perfectly fine device certificate to the device, it 'is not meant for that.' They insist even if they gave me the certificate it wouldn't load into Clearpass properly.

Thank you Herman. I was hoping it was my mistake so I could take more direct actions in the fix. I tried a little to create a windows cert but haven't had success yet. I am hoping Okta can point me in the right direction.

Yes you would need the Okta Client CA Root certificate (plus additional intermediates if applicable). Normally speaking such a certificate chain would/should be available from the CA.

If you can't find it... Maybe, if you can enroll a Windows client with a client certificate from the same CA, and if you are lucky the intermediate and root are also installed to that client. From a Windows client, it's easier to export the required certificate.

fatal alert by server - unknown_ca means that the client certificate cannot be verified up to the RootCA, which needs to be in the ClearPass Trust List.

Hello All,

I have been researching your forums for awhile, and I BELIEVE I know what my problem is, but since I am going to be stuck cycling with support looking for options I thought I would ask a question and make sure I understand this process. Here is the background:

• We just started with Clearpass.
• We have a self hosted, on-prem CA - issuing computer and client certificates to our windows laptops & desktops which works well. 
• We have an MDM solution but it has no native integrations with Clearpass.
• We have office 365 but don't have any Entra P1 / P2 level licenses. 

I was able to issue a certificate to our iPads through our MDM solution using Okta as the certificate server. I installed the certificate that Okta says authenticates this client cert (though it is labeled as an intermediate cert) into the 'Trust List' in ClearPass.

I am getting this error:

Based on many of the same error posts answered by Herman, I have gone back to be sure the certificate the iPad is using is indeed the certificate issued by Okta, which it is as well as making sure the intermediate cert has usage of 'EAP' (also added RadSec for testing).

When I generate the certificate on the iPad I am using a SCEP server connection to create and deploy the cert so I am wondering if I perhaps requested the certificate with the wrong information that somehow doesn't match the Okta Intermediate cert (I have to fill the requesting info out through a plist file), or if I need the root cert or next cert in their cert chain to properly validate my client cert. I am unsure how to test further while I wait for Okta support to return my ticket asking for the next cert in the chain. 

I'm also open to other recommendations if I am doing something 'the hard way'.

Thanks for reading!

As Herman mentioned, the ClearPass server must trust the client certificates, i.e. the CA and intermedia CA certificates must be imported and enabled in the Certificate Trust List at ClearPass. This is currently not the case, which is why you get the error message "EAP-TLS: fatal alert by server - unknown_ca".

Furthermore, client authentication must be specified as the purpose usage in the client certificate. If this purpose is missing, the authentication will not work.

For IOS devices, it is not enough to just install the certificate. Our customers had to save the certificate in the WLAN profile, only then did dot1x authentication work.

I will follow up in case someone happens to stumble across this searching for something similar. I just spoke with Okta and, even though I successfully issued a perfectly fine device certificate to the device, it 'is not meant for that.' They insist even if they gave me the certificate it wouldn't load into Clearpass properly.

Thank you Herman. I was hoping it was my mistake so I could take more direct actions in the fix. I tried a little to create a windows cert but haven't had success yet. I am hoping Okta can point me in the right direction.

Yes you would need the Okta Client CA Root certificate (plus additional intermediates if applicable). Normally speaking such a certificate chain would/should be available from the CA.

If you can't find it... Maybe, if you can enroll a Windows client with a client certificate from the same CA, and if you are lucky the intermediate and root are also installed to that client. From a Windows client, it's easier to export the required certificate.

fatal alert by server - unknown_ca means that the client certificate cannot be verified up to the RootCA, which needs to be in the ClearPass Trust List.

Hello All,

I have been researching your forums for awhile, and I BELIEVE I know what my problem is, but since I am going to be stuck cycling with support looking for options I thought I would ask a question and make sure I understand this process. Here is the background:

• We just started with Clearpass.
• We have a self hosted, on-prem CA - issuing computer and client certificates to our windows laptops & desktops which works well. 
• We have an MDM solution but it has no native integrations with Clearpass.
• We have office 365 but don't have any Entra P1 / P2 level licenses. 

I was able to issue a certificate to our iPads through our MDM solution using Okta as the certificate server. I installed the certificate that Okta says authenticates this client cert (though it is labeled as an intermediate cert) into the 'Trust List' in ClearPass.

I am getting this error:

Based on many of the same error posts answered by Herman, I have gone back to be sure the certificate the iPad is using is indeed the certificate issued by Okta, which it is as well as making sure the intermediate cert has usage of 'EAP' (also added RadSec for testing).

When I generate the certificate on the iPad I am using a SCEP server connection to create and deploy the cert so I am wondering if I perhaps requested the certificate with the wrong information that somehow doesn't match the Okta Intermediate cert (I have to fill the requesting info out through a plist file), or if I need the root cert or next cert in their cert chain to properly validate my client cert. I am unsure how to test further while I wait for Okta support to return my ticket asking for the next cert in the chain. 

I'm also open to other recommendations if I am doing something 'the hard way'.

Thanks for reading!