We currently authenticate our wireless users via EAP-TLS using the built-in PKI on Clearpass, with a certificate chain that looks like the following:
Clearpass Local Root --> Clearpass Local Root (signing) --> client certificates and RADIUS server certificate
This works just fine, however as we look to expand this we're looking to introduce a windows CA to issue certs to managed clients so as not to consume thousands of onboard licenses. To keep the existing clients working without reconfiguration we can't change the root or the server certificate.
What I've been trying to do is create a new Windows CA that is a Subordinate CA from the certificate chain above, so I create the new subordinate CA, generate the CSR, sign the CSR as a "certificate authority" certificate in Clearpass and install the resulting intermediate into the Windows CA. This all works, and the windows CA can happily sign user certs with a trust chain that looks like the following:
Clearpass Local Root --> Clearpass Local Root (signing) --> Windows Intermediate CA ---> client certificate
I've cut a couple of test client certificates via the Windows CA and am running into a SSL Handshake failure when trying to auth using them, with the following error:
EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session
I was hoping, maybe naievely, that because the RADIUS server cert and the client certs chain to the same root (even though they're signed by different intermediates) they would verify okay.
Is this a configuration that should work? Or is it fundamentally flawed and should I look to structure the CA heirachy another way (preferably without breaking existing clients and requiring me to change SSID/roll out a new set of profiles/etc)