If the message in Access Tracker is: "EAP-TLS: fatal alert by server - unknown_ca"; then the problem is that ClearPass (by server) does not trust the client certificate (unknown_ca). Which either is that you didn't install the correct Client Issuing CA (root and possibly the intermediates) in the ClearPass Trust List, or it doesn't have the 'Usage: EAP or RADIUS' in the Trust List.
Or the client doesn't select the correct certificate and tries with another certificate.
Maybe RKinsp can tell what was the case here.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 02, 2024 12:04 AM
From: toopaki
Subject: EAP-TLS with Windows not working with SCEP Certificates
How did you fix this? can you help us finding the cause?
Original Message:
Sent: Jul 24, 2024 12:36 PM
From: RKinsp
Subject: EAP-TLS with Windows not working with SCEP Certificates
Nevermind, found my mistake. Will publish results in a bit.
vs.
Original Message:
Sent: Jul 24, 2024 12:00 PM
From: RKinsp
Subject: EAP-TLS with Windows not working with SCEP Certificates
Hey guys,
So I am testing a new deployment option with an Azure based CPPM with Onboard + Intunes SCEP extension. The solution has successfully deployed client certificates to my windows devices.
I am manually configuring the WiFi and I have not been able to get the devices to authenticate. In theory EAP-TLS I do not need an authentication source as I only want to trust the certificate. Next step will be adding Entra account validation, but still stuck on the basic authentication step.
Authentication fails with the following error:
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
The client is selecting the right cert, which was created by the Onboard CA and it also has the root cert as a Trusted CA.
The Onboard CA ROOT cert is in the CPPM trust list and set the EAP and Others for the usage. I cannot figure out why it is reporting "unknown_ca". I have tried disabling "verify the server identity" on the client side, but that didn't change anything
Service is using EAP-TLS authentication method with authorization disabled. CPPM is on version 6.12.2. Client does have a TPM chip, but the error seems unrelated.
Any ideas?
Thanks,
RK