Despite what was written before, the message fatal alert by server - unknown_ca, means that the ClearPass server did not trust the client certificate.
You should export the Onboard Root CA (and intermediates would not hurt) from the other server (than the one that shows this message), and add/import that to the Trust list of this server with the purpose EAP (and have it enabled, but that happens by default).
I would suggest to work with Aruba Support (TAC), as it may be confusing unless you fully understand how certificates and certificate validation works.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 19, 2022 06:50 PM
From: jiang ziv
Subject: Does clearpass onboard can support two different site ?
here is the alert
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
i have let the onboard root cert put in each clearpass trust list but it still show up this alert
Original Message:
Sent: Nov 19, 2022 06:34 PM
From: Ariya Parsamanesh
Subject: Does clearpass onboard can support two different site ?
what is the exact error in the alert tab of access tracker for the failed onboarded device?
is it to do with the certificates? if so then you need to add the root CA cert that signed the onboarded device' cert to the Certificate Trusted List on the clearpass node that you are getting the error.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Nov 18, 2022 10:10 PM
From: jiang ziv
Subject: Does clearpass onboard can support two different site ?
no, they aren't
just standalone in two site, but use same AD authenticate.
Original Message:
Sent: Nov 18, 2022 05:16 PM
From: Ariya Parsamanesh
Subject: Does clearpass onboard can support two different site ?
Are these Clearpass nodes part f the same cluster?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Nov 18, 2022 12:52 PM
From: jiang ziv
Subject: Does clearpass onboard can support two different site ?
Hi
i have two clearpass in different site.
with same ad be authenticate and same ssid.
onboard each other.
after onboard , each site can normally use wifi.
but if change to other site, will fail.
is anyway to make it work? (onboard in one site, and other site can use wifi too)
or need cluster it ?