Security

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

Yup exactly this ^^^ Also what is your MDM solution for these pixel devices?  If you don't have an MDM, what is the use-case for allowing unmanaged devices onto the network using PEAP?

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

We are not using an MDM and these are staff-owned devices.  We have a firewall ruleset to limit their traffic to just out to the internet.  In the past we've had them connect with 'Do not validate' the cert but with Android 11 we have been installing the root cert on the devices for the staff so they can join with their credentials and we can still track where the traffic is coming from.

For whatever reason, after swapping the Radius cert, the Pixels have stopped connecting.  Even if we install the root cert and tell the supplicant on the phone to use that root cert.  I am looking for clarity on which cert needs to be used and what the 'Domain' field in the Android supplicant needs to say.

Yup exactly this ^^^ Also what is your MDM solution for these pixel devices?  If you don't have an MDM, what is the use-case for allowing unmanaged devices onto the network using PEAP?

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

The root did not change and this is a private Windows CA

I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

The root did not change and this is a private Windows CA

I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.

I can't think of any changes. I don't believe it's a software update because I can roll back to the old cert and the phone will connect.  Both the old and new certs have a 10-year expiration date.

The root did not change and this is a private Windows CA

I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?

I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

Thanks,

Mcfly

What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

Upload it to your radius server with the private key. 

Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

If you chain it, you shouldn't have a problem. 

Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.

The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

Did you check the following link: Add & remove certificates on Google Pixels

We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

I get one of two messages depending on factors:

EAP: Client doesn't support configured EAP methods

 or

EAP-PEAP: fatal alert by client - unknown_ca

Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

Any help is greatly appreciated.