Security

Hello all,

I have a question,
I currently have 802.1x authentication working with xxx.com and everything works fine,
but now i would like to add authentication with another (second) domain yyy.com and when i try to authenticate the client to wifi network access tracer gives me an error:

EAP-PEAP: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error: 14094418: SSL routines: ssl3_read_bytes: tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session


For yyy.com domain I added CA in "Trust List" section but still there is a problem.

My CPPM: 6.9.3

Maybe someone had a similar problem?
Thank you in advance for your answer.

best regards

------------------------------
Martin S
------------------------------

You should check and validate the CA that issued the device cert , the one you added into ClearPass may not be the correct one

Check the serial number and thumbprint on the cert

------------------------------
Victor Fabian
------------------------------

Original Message:
Sent: Nov 02, 2020 08:40 AM
From: Martin S
Subject: CPPM Error in establishing TLS session

Hello all,

I have a question,
I currently have 802.1x authentication working with xxx.com and everything works fine,
but now i would like to add authentication with another (second) domain yyy.com and when i try to authenticate the client to wifi network access tracer gives me an error:

EAP-PEAP: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error: 14094418: SSL routines: ssl3_read_bytes: tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session


For yyy.com domain I added CA in "Trust List" section but still there is a problem.

My CPPM: 6.9.3

Maybe someone had a similar problem?
Thank you in advance for your answer.

best regards

------------------------------
Martin S
------------------------------

It's an issue at the client, not in the Trust List:

fatal alert by client - unknown_ca

This means that the client complains that it does not trust the ClearPass EAP certificate.

Have you replaced the default self-signed EAP/RADIUS certificate with a trusted one (either from public or private CA)?
Did you configure your client and imported or enabled the Root CA in your client (supplicant)?
What type of client is this?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Nov 02, 2020 08:40 AM
From: Martin S
Subject: CPPM Error in establishing TLS session

Hello all,

I have a question,
I currently have 802.1x authentication working with xxx.com and everything works fine,
but now i would like to add authentication with another (second) domain yyy.com and when i try to authenticate the client to wifi network access tracer gives me an error:

EAP-PEAP: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error: 14094418: SSL routines: ssl3_read_bytes: tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session


For yyy.com domain I added CA in "Trust List" section but still there is a problem.

My CPPM: 6.9.3

Maybe someone had a similar problem?
Thank you in advance for your answer.

best regards

------------------------------
Martin S
------------------------------