View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS with JAMF PRO extension

This thread has been viewed 21 times
  • 1.  EAP-TLS with JAMF PRO extension

    Posted Feb 10, 2024 08:50 AM

    Our organization wants to switch all of our Jamf managed devices over to using cert based wireless authentication using eap-tls but I'm having a difficult time getting it to work. 

    I created a new service for EAP-TLS but when I see the attempt to connect in Access Tracker, I get the error "EAP-TLS: warning alert by client - close_notify
    TLS Handshake failed in SSL_read with error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
    eap-tls: Error in establishing TLS session"

    I do not show the cert ever being presented to clearpass in "Computed Atrributes" like I saw in Herman's video. I can verifiy the cert is present in clearpass and on the supplicant. 

    I'm not sure where I'm going wrong. Can anyone help??

  • 2.  RE: EAP-TLS with JAMF PRO extension

    Posted Feb 12, 2024 04:57 AM


    The error message you get are the result when the client device doesn't trust the ClearPass Radius Root CA certificate for EAP. The client must first trust the root of the chain that issued the ClearPass Radius certificate, second the client must have a 802.1x profile specifying the root CA as trusted for EAP and some client operating systems also require you to specify the name in the certificate.

    In your situation the client don't trust ClearPass and thus don't send the client certificate and you will not see it in Access Tracker.

    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution

  • 3.  RE: EAP-TLS with JAMF PRO extension

    Posted Mar 02, 2024 09:43 AM

    Thank you for the info!! I still couldn't get this to work so I opened a case with TAC and they said we must also get the Intermediate CA certificate under the Radius / EAP server certificates section trusted on the supplicant that we had in clearpass. Once we pushed the intermediate ca to the jamf device, we were authenticating to the wireless and connecting. 

    I hope this helps someone!!

  • 4.  RE: EAP-TLS with JAMF PRO extension

    Posted Feb 14, 2024 01:04 PM

    Hope this helps.  here is the Configuration profile payload of our EAP-TLS Wi-Fi in Jamf Pro.

    1. I'm deploying the root certificate for our CA server.  The CA server not only assigns certificates to the clients, But I also used it to make a server certificate for Clearpass RADIUS.  So the clients only need the one root.
    2. The Wi-Fi profile that establishes the trust with the SCEP server
    3. The SCEP server so the client can request a certificate

  • 5.  RE: EAP-TLS with JAMF PRO extension

    Posted Feb 19, 2024 10:41 AM

    Oh, thank you! I'll have that team take a look! Much appreciated!!