Security

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

In the screenshot of your certificates I can only see Server Authentication as intended purpose. Verify that your client certificates have Client Authentication as intended purpose in the certificate.

Is the RADIUS certificate on the ClearPass server issued by the same CA as the client certificate, cadd-WIN-QBIDRM98CDO-CA?

Under the Advanced settings, have you selected how the machine should authenticate? Either with user or computer certificate or utilize both. If both are selected the machine will use the machine certificate if no user is logged in and the user certificate as soon as a user has logged in to Windows.

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

In the screenshot of your certificates I can only see Server Authentication as intended purpose. Verify that your client certificates have Client Authentication as intended purpose in the certificate.

Is the RADIUS certificate on the ClearPass server issued by the same CA as the client certificate, cadd-WIN-QBIDRM98CDO-CA?

Under the Advanced settings, have you selected how the machine should authenticate? Either with user or computer certificate or utilize both. If both are selected the machine will use the machine certificate if no user is logged in and the user certificate as soon as a user has logged in to Windows.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 08:00 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Original Message:
Sent: Jan 23, 2025 06:12 AM
From: jonas.hammarback
Subject: Move from EAP-Peap to TLS Auth method

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 05:10 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

Original Message:
Sent: Jan 23, 2025 08:09 AM
From: jonas.hammarback
Subject: Move from EAP-Peap to TLS Auth method

In the screenshot of your certificates I can only see Server Authentication as intended purpose. Verify that your client certificates have Client Authentication as intended purpose in the certificate.

Is the RADIUS certificate on the ClearPass server issued by the same CA as the client certificate, cadd-WIN-QBIDRM98CDO-CA?

Under the Advanced settings, have you selected how the machine should authenticate? Either with user or computer certificate or utilize both. If both are selected the machine will use the machine certificate if no user is logged in and the user certificate as soon as a user has logged in to Windows.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 08:00 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Original Message:
Sent: Jan 23, 2025 06:12 AM
From: jonas.hammarback
Subject: Move from EAP-Peap to TLS Auth method

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 05:10 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

In the screenshot of your certificates I can only see Server Authentication as intended purpose. Verify that your client certificates have Client Authentication as intended purpose in the certificate.

Is the RADIUS certificate on the ClearPass server issued by the same CA as the client certificate, cadd-WIN-QBIDRM98CDO-CA?

Under the Advanced settings, have you selected how the machine should authenticate? Either with user or computer certificate or utilize both. If both are selected the machine will use the machine certificate if no user is logged in and the user certificate as soon as a user has logged in to Windows.

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.

Based on that screenshot, it rejected the connection when authenticating as the machine then accepted the user authentication request.

Hard to say why without knowing your roles and enforcement profiles.

For Windows devices, I'd suggest using EAP-TEAP as the method as it can authenticate both machine and user in the same request.

This helps solve the issue if the user does not have a certificate it will still remain connected (assuming you allow machine authentication) after login.

Here's another thread with more details: EAP-TEAP | Security and also a good guide from HPE ClearPass TEAP Configuration Guide.

Only thing I would do differently with the TEAP configuration guide is use EAP-TLS for both methods instead of EAP-MSCHAP (page 18).

Original Message:
Sent: Feb 06, 2025 05:22 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

Original Message:
Sent: Feb 06, 2025 03:32 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

Original Message:
Sent: Jan 23, 2025 08:09 AM
From: jonas.hammarback
Subject: Move from EAP-Peap to TLS Auth method

In the screenshot of your certificates I can only see Server Authentication as intended purpose. Verify that your client certificates have Client Authentication as intended purpose in the certificate.

Is the RADIUS certificate on the ClearPass server issued by the same CA as the client certificate, cadd-WIN-QBIDRM98CDO-CA?

Under the Advanced settings, have you selected how the machine should authenticate? Either with user or computer certificate or utilize both. If both are selected the machine will use the machine certificate if no user is logged in and the user certificate as soon as a user has logged in to Windows.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 08:00 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

Hi Jonas,,

i'm trying manually on one machine if it's success will push to all with GPO.

but i think this machine issue because access trucker not receiving any alert after user not able to connect on ssid and shown certificate error.

Original Message:
Sent: Jan 23, 2025 06:12 AM
From: jonas.hammarback
Subject: Move from EAP-Peap to TLS Auth method

Hi

Have you configured the client to utilize EAP-TLS for the authentication?

It's best done with a GPO with the WiFi 802.1x settings, where you select all needed options for the authentication.

You should select the Root CA to trust and also give the name in the ClearPass RADIUS certificate.

Do you get any error messages in the Access Tracker?

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2025 05:10 AM
From: khaled0moh
Subject: Move from EAP-Peap to TLS Auth method

hi experts,

i have was running wifi staff on EAP-PEAP and ssid configured with radius it's working fine.

but now need to apply eap-tls and the issue client shown this message while connecting "unable to connect, you need certificate to sign-in"

so i checked the certificate already pushed on user and Compter certificate

this radius certificate get from clearpass CSR and signed by ADCS.