Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Pixel Phones unable to connect to PEAP MSChap-V2

This thread has been viewed 48 times
  • 1.  Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 03:09 PM

    We recently swapped our Radius/EAP cert out on clearpass.  Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks.  Some Androids are working but a subset (mostly Pixels) are unable to join.  I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.

    I get one of two messages depending on factors:

    EAP: Client doesn't support configured EAP methods

     or

    EAP-PEAP: fatal alert by client - unknown_ca

    Can anyone tell me which certificate should be used on the client device and what the domain should be set to?  I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass).  Also what should I put for 'Domain' on the Android client?  I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.

    Any help is greatly appreciated.



  • 2.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    MVP
    Posted Sep 07, 2023 04:00 PM

    The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.

    Did you check the following link: Add & remove certificates on Google Pixels



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 3.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 04:58 PM

    Yup exactly this ^^^ Also what is your MDM solution for these pixel devices?  If you don't have an MDM, what is the use-case for allowing unmanaged devices onto the network using PEAP?




  • 4.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 05:26 PM

    We are not using an MDM and these are staff-owned devices.  We have a firewall ruleset to limit their traffic to just out to the internet.  In the past we've had them connect with 'Do not validate' the cert but with Android 11 we have been installing the root cert on the devices for the staff so they can join with their credentials and we can still track where the traffic is coming from.

    For whatever reason, after swapping the Radius cert, the Pixels have stopped connecting.  Even if we install the root cert and tell the supplicant on the phone to use that root cert.  I am looking for clarity on which cert needs to be used and what the 'Domain' field in the Android supplicant needs to say.




  • 5.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 05:31 PM

    Why not just use a captive Portal for this use-case?  Why enforce PEAP where users are typing their AD credentials into untrusted devices?  

    Is the FQDN of the ClearPass Server(s) in the SAN field of the certificate?  Did you change CA providers?  Is this is a public or private certificate?




  • 6.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 05:23 PM

    Thanks for the reply.  I did follow that guide but it will not connect (Just PIxels) - other androids will connect.  

    Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.




  • 7.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 07, 2023 05:27 PM

    What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server. 

    Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever. 

    Upload it to your radius server with the private key. 

    Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to it
    Newer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot. 

    If you chain it, you shouldn't have a problem. 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------



  • 8.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 04:42 AM

    Thanks for the reply.  This is already what I have now as my Radius cert.  I actually also have the Intermediate CA as part of this chain in Clearpass.

    This is what my RADIUS/EAP chain looks like:

    Root

    |--Intermediate CA  (That issued the Radius cert to Clearpass)

    |----Clearpass Cert

    Also the version of Android that one of the test devices is using is Android 11 so I am not running into the TOFU processes.  Any other ideas?




  • 9.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 04:49 AM

    I don't have a lot of experience with Clearpass so Captive Portal is way over my head.  We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.

    The SAN field in the Radius cert is empty.  Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?

    Thanks,

    Mcfly




  • 10.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 07:37 AM
    Yes I would try that. Did the old cert have a SAN field? You are going to have future issues with this approach as mobile phone vendors continue to lock down their OS. The only way to reliably accomplish what you are after is to mandate MDM enrollment for these devices. Or switch to an authentication that doesn’t involve EAP, like captive portal




  • 11.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 10:37 AM

    I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field.  Any other thoughts?




  • 12.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 10:41 AM
    Did the root CA change? Is this a public or private cert?




  • 13.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 10:55 AM

    The root did not change and this is a private Windows CA




  • 14.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 12:06 PM
    Are we sure this is the culprit of a certificate change and not an OS update to the pixel devices? Again, you are going to have problems like this if you aren’t using an MDM. What has changed from the previous cert? Any change in the intermediate certificates? What about certificate lifetime? Is it longer than one year?




  • 15.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    Posted Sep 08, 2023 01:49 PM

    I can't think of any changes. I don't believe it's a software update because I can roll back to the old cert and the phone will connect.  Both the old and new certs have a 10-year expiration date.




  • 16.  RE: Pixel Phones unable to connect to PEAP MSChap-V2

    MVP
    Posted Sep 08, 2023 01:53 PM

    Had a similar case today with one android device (Samsung). What i could notice was that the issue got resolved after i disabled TLS1.0 and TLS1.1 on the Wireless Controller. 
    I am not sure if this could be of any help, but check.



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------