Security

 View Only
  • 1.  EAP-TLS with Windows not working with SCEP Certificates

    Posted Jul 24, 2024 12:01 PM

    Hey guys,

    So I am testing a new deployment option with an Azure based CPPM with Onboard + Intunes SCEP extension. The solution has successfully deployed client certificates to my windows devices. 

    I am manually configuring the WiFi and I have not been able to get the devices to authenticate. In theory EAP-TLS I do not need an authentication source as I only want to trust the certificate. Next step will be adding Entra account validation, but still stuck on the basic authentication step.

    Authentication fails with the following error:

    EAP-TLS: fatal alert by server - unknown_ca
    TLS Handshake failed in SSL_read with error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

    The client is selecting the right cert, which was created by the Onboard CA and it also has the root cert as a Trusted CA.

    The Onboard CA ROOT cert is in the CPPM trust list and set the EAP and Others for the usage. I cannot figure out why it is reporting "unknown_ca".  I have tried disabling "verify the server identity" on the client side, but that didn't change anything

    Service is using EAP-TLS authentication method with authorization disabled. CPPM is on version 6.12.2. Client does have a TPM chip, but the error seems unrelated.

    Any ideas?

    Thanks,

    RK



  • 2.  RE: EAP-TLS with Windows not working with SCEP Certificates

    Posted Jul 24, 2024 12:36 PM

    Nevermind, found my mistake. Will publish results in a bit.

    vs.




  • 3.  RE: EAP-TLS with Windows not working with SCEP Certificates

    Posted Sep 17, 2024 09:39 AM

    Hi ! 

    So what was that?




  • 4.  RE: EAP-TLS with Windows not working with SCEP Certificates

    Posted Nov 02, 2024 12:05 AM

    How did you fix this? can you help us finding the cause?




  • 5.  RE: EAP-TLS with Windows not working with SCEP Certificates

    Posted Nov 05, 2024 08:37 AM

    If the message in Access Tracker is: "EAP-TLS: fatal alert by server - unknown_ca"; then the problem is that ClearPass (by server) does not trust the client certificate (unknown_ca). Which either is that you didn't install the correct Client Issuing CA (root and possibly the intermediates) in the ClearPass Trust List, or it doesn't have the 'Usage: EAP or RADIUS' in the Trust List.

    Or the client doesn't select the correct certificate and tries with another certificate.

    Maybe RKinsp can tell what was the case here.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: EAP-TLS with Windows not working with SCEP Certificates

    Posted Nov 05, 2024 08:41 PM

    Hi any update on your deployment? Interested to know if you're using the new MS PKI service. Also did you have any issues deploying the CPPM appliance?