We recently swapped our Radius/EAP cert out on clearpass. Most of the devices are connecting fine and I have added the root CA cert onto iPads and Macbooks. Some Androids are working but a subset (mostly Pixels) are unable to join. I have just EAP-PEAP and EAP-MSCHAPv2 under authentication and I have tried every combination of certificates on the client device and domain names I can think of.
I get one of two messages depending on factors:
EAP: Client doesn't support configured EAP methods
EAP-PEAP: fatal alert by client - unknown_ca
Can anyone tell me which certificate should be used on the client device and what the domain should be set to? I've tried the root cert, intermediate cert (which was the CA that issued the new Radius/EAP certificate to Clearpass). Also what should I put for 'Domain' on the Android client? I put my actual domain name, Canonical, the clearpass server name, the common name from the Radius Cert, etc to no avail.
Any help is greatly appreciated.
The EAP-PEAP: fatal alert by client - unknown_ca somehow leads that the end-device has no clue related to the CA.
Did you check the following link: Add & remove certificates on Google Pixels
Yup exactly this ^^^ Also what is your MDM solution for these pixel devices? If you don't have an MDM, what is the use-case for allowing unmanaged devices onto the network using PEAP?
We are not using an MDM and these are staff-owned devices. We have a firewall ruleset to limit their traffic to just out to the internet. In the past we've had them connect with 'Do not validate' the cert but with Android 11 we have been installing the root cert on the devices for the staff so they can join with their credentials and we can still track where the traffic is coming from.
For whatever reason, after swapping the Radius cert, the Pixels have stopped connecting. Even if we install the root cert and tell the supplicant on the phone to use that root cert. I am looking for clarity on which cert needs to be used and what the 'Domain' field in the Android supplicant needs to say.
Why not just use a captive Portal for this use-case? Why enforce PEAP where users are typing their AD credentials into untrusted devices?
Is the FQDN of the ClearPass Server(s) in the SAN field of the certificate? Did you change CA providers? Is this is a public or private certificate?
Thanks for the reply. I did follow that guide but it will not connect (Just PIxels) - other androids will connect.
Can you tell me which certificate I am supposed to install on the client devices? I've tried the root CA and the intermediate CA that issued the Radius cert to Clearpass.
What you need to do in your radius certificate is chain the server cert + root ca in the same certificate and upload it to your radius server.
Simply open open notepad and put the server cert first then paste the root ca right underneath, save it as chainedradius.pem or whatever.
Upload it to your radius server with the private key.
Obviously the root ca is already installed and in your trust list but the actual radius certificate should contain the root ca chained to itNewer android devices (like a pixel) implement the Trust on first use principle so it needs to validate the root ca but it cannot.
If you chain it, you shouldn't have a problem.
Thanks for the reply. This is already what I have now as my Radius cert. I actually also have the Intermediate CA as part of this chain in Clearpass.
This is what my RADIUS/EAP chain looks like:
|--Intermediate CA (That issued the Radius cert to Clearpass)
Also the version of Android that one of the test devices is using is Android 11 so I am not running into the TOFU processes. Any other ideas?
I don't have a lot of experience with Clearpass so Captive Portal is way over my head. We also have a large number of clients connecting fine for years on the current setup but when we do a Wifi refresh I will definitely look into CP to see if it's a good fit for this use-case.
The SAN field in the Radius cert is empty. Do you think re-issuing a new cert with the CP FQDN in the SANS field might solve it?
I added the DNS shared name and both FQDNs to the SAN field and it's still not working. The old Radius cert also didn't have anything in the SAN field. Any other thoughts?
The root did not change and this is a private Windows CA
I can't think of any changes. I don't believe it's a software update because I can roll back to the old cert and the phone will connect. Both the old and new certs have a 10-year expiration date.
Had a similar case today with one android device (Samsung). What i could notice was that the issue got resolved after i disabled TLS1.0 and TLS1.1 on the Wireless Controller. I am not sure if this could be of any help, but check.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.