Wireless Access

I inherited a wireless network which uses PEAP for authentication and Clearpass for the authentication.  We have all of the clients that we can set to 'do not check' for the server certificate but some androids will not allow this.  What is it checking and what do I need for this to work?

Is it the Radius/EAP, the HTTPS ECC, or the HTTPS RSA or none of the above?  The radius cert is signed by my own CA and I've tried using the root cert from that CA on the client but it will still not join.  My HTTPS RSA cert is signed by a public CA.  Am I missing intermediate certs in the chain or what actually happens?

Any help is greatly appreciated!

Mcfly

The client will check the RADIUS EAP server certificate installed on ClearPass, for 802.1X PEAP authentication (as well for TEAP, EAP-TLS btw).

A private Root CA for your EAP server certificate is recommended in most cases, and intermediates are sent by ClearPass so just installing the private root should be ok. Make sure that you have an actual private CA, using a self-signed EAP certificate will result in problems, as well a wildcard certificate for EAP (wildcards are fine/great for HTTPS).

On Android, there is also a 'domain' field in the configuration, that is where you would put the name (CN/SAN-dns) of your EAP server certificate in. It may help to configure another device first, like a Windows client, make it work and from a working situation find a way to make the other devices working. Please verify that there is no more MD5/SHA-1 in your private CA or EAP server certificate as that is deprecated and some clients may refuse to connect with such weak crypto.

The Access Tracker may provide some additional information in Access Tracker, like 'client: untrusted ca' if the client doesn't trust the CA; but some clients fail silent unfortunately.

Please be aware of the risks running PEAP with 'do not check' on the server certificate; so I would plan to move to TEAP/EAP-TLS or at least enforce the server certificate checking without end-users be able to override an untrusted certificate.

I inherited a wireless network which uses PEAP for authentication and Clearpass for the authentication.  We have all of the clients that we can set to 'do not check' for the server certificate but some androids will not allow this.  What is it checking and what do I need for this to work?

Is it the Radius/EAP, the HTTPS ECC, or the HTTPS RSA or none of the above?  The radius cert is signed by my own CA and I've tried using the root cert from that CA on the client but it will still not join.  My HTTPS RSA cert is signed by a public CA.  Am I missing intermediate certs in the chain or what actually happens?

Any help is greatly appreciated!

Mcfly

Thank you for such a detailed response!  We certainly know the risks and don't want to use PEAP without checking for the cert.  That's just some of the testing that I have done to try and get this working. 

We also are definitely using a privately signed cert.  The root and intermediate cert are signing the Clearpass EAP cert with SHA256RSA.  I just tried with an iPhone by adding my root ca certificate and trying to join.  Of course it does not ask for settings like 'domain' (or anything for that matter).  When I try to join I still get the 'Not Trusted' pop up where it asks to verify my intermediate CA that signed the Clearpass cert:

I would not expect this since I have my root cert installed on the iPhone.

Thoughts?

Thanks,

Mcfly 

The client will check the RADIUS EAP server certificate installed on ClearPass, for 802.1X PEAP authentication (as well for TEAP, EAP-TLS btw).

A private Root CA for your EAP server certificate is recommended in most cases, and intermediates are sent by ClearPass so just installing the private root should be ok. Make sure that you have an actual private CA, using a self-signed EAP certificate will result in problems, as well a wildcard certificate for EAP (wildcards are fine/great for HTTPS).

On Android, there is also a 'domain' field in the configuration, that is where you would put the name (CN/SAN-dns) of your EAP server certificate in. It may help to configure another device first, like a Windows client, make it work and from a working situation find a way to make the other devices working. Please verify that there is no more MD5/SHA-1 in your private CA or EAP server certificate as that is deprecated and some clients may refuse to connect with such weak crypto.

The Access Tracker may provide some additional information in Access Tracker, like 'client: untrusted ca' if the client doesn't trust the CA; but some clients fail silent unfortunately.

Please be aware of the risks running PEAP with 'do not check' on the server certificate; so I would plan to move to TEAP/EAP-TLS or at least enforce the server certificate checking without end-users be able to override an untrusted certificate.

I inherited a wireless network which uses PEAP for authentication and Clearpass for the authentication.  We have all of the clients that we can set to 'do not check' for the server certificate but some androids will not allow this.  What is it checking and what do I need for this to work?

Is it the Radius/EAP, the HTTPS ECC, or the HTTPS RSA or none of the above?  The radius cert is signed by my own CA and I've tried using the root cert from that CA on the client but it will still not join.  My HTTPS RSA cert is signed by a public CA.  Am I missing intermediate certs in the chain or what actually happens?

Any help is greatly appreciated!

Mcfly

If the certificate isn't installed correctly on ClearPass, you'll end up with this result.  Make sure that the certificate has the intermediate and root as part of the chain when installing.  ClearPass 6.12 will enforce this requirement.

Thank you for such a detailed response!  We certainly know the risks and don't want to use PEAP without checking for the cert.  That's just some of the testing that I have done to try and get this working. 

We also are definitely using a privately signed cert.  The root and intermediate cert are signing the Clearpass EAP cert with SHA256RSA.  I just tried with an iPhone by adding my root ca certificate and trying to join.  Of course it does not ask for settings like 'domain' (or anything for that matter).  When I try to join I still get the 'Not Trusted' pop up where it asks to verify my intermediate CA that signed the Clearpass cert:

I would not expect this since I have my root cert installed on the iPhone.

Thoughts?

Thanks,

Mcfly 

The client will check the RADIUS EAP server certificate installed on ClearPass, for 802.1X PEAP authentication (as well for TEAP, EAP-TLS btw).

A private Root CA for your EAP server certificate is recommended in most cases, and intermediates are sent by ClearPass so just installing the private root should be ok. Make sure that you have an actual private CA, using a self-signed EAP certificate will result in problems, as well a wildcard certificate for EAP (wildcards are fine/great for HTTPS).

On Android, there is also a 'domain' field in the configuration, that is where you would put the name (CN/SAN-dns) of your EAP server certificate in. It may help to configure another device first, like a Windows client, make it work and from a working situation find a way to make the other devices working. Please verify that there is no more MD5/SHA-1 in your private CA or EAP server certificate as that is deprecated and some clients may refuse to connect with such weak crypto.

The Access Tracker may provide some additional information in Access Tracker, like 'client: untrusted ca' if the client doesn't trust the CA; but some clients fail silent unfortunately.

Please be aware of the risks running PEAP with 'do not check' on the server certificate; so I would plan to move to TEAP/EAP-TLS or at least enforce the server certificate checking without end-users be able to override an untrusted certificate.

I inherited a wireless network which uses PEAP for authentication and Clearpass for the authentication.  We have all of the clients that we can set to 'do not check' for the server certificate but some androids will not allow this.  What is it checking and what do I need for this to work?

Is it the Radius/EAP, the HTTPS ECC, or the HTTPS RSA or none of the above?  The radius cert is signed by my own CA and I've tried using the root cert from that CA on the client but it will still not join.  My HTTPS RSA cert is signed by a public CA.  Am I missing intermediate certs in the chain or what actually happens?

Any help is greatly appreciated!

Mcfly

I have this in place now.  I'm on version 6.10.8 but the chain looks like this for the EAP cert:

<My Root>

---<My Sub>

------<CP EAP>

Anything else you can think of?

Thanks,

McFly

If the certificate isn't installed correctly on ClearPass, you'll end up with this result.  Make sure that the certificate has the intermediate and root as part of the chain when installing.  ClearPass 6.12 will enforce this requirement.

Thank you for such a detailed response!  We certainly know the risks and don't want to use PEAP without checking for the cert.  That's just some of the testing that I have done to try and get this working. 

We also are definitely using a privately signed cert.  The root and intermediate cert are signing the Clearpass EAP cert with SHA256RSA.  I just tried with an iPhone by adding my root ca certificate and trying to join.  Of course it does not ask for settings like 'domain' (or anything for that matter).  When I try to join I still get the 'Not Trusted' pop up where it asks to verify my intermediate CA that signed the Clearpass cert:

I would not expect this since I have my root cert installed on the iPhone.

Thoughts?

Thanks,

Mcfly 

The client will check the RADIUS EAP server certificate installed on ClearPass, for 802.1X PEAP authentication (as well for TEAP, EAP-TLS btw).

A private Root CA for your EAP server certificate is recommended in most cases, and intermediates are sent by ClearPass so just installing the private root should be ok. Make sure that you have an actual private CA, using a self-signed EAP certificate will result in problems, as well a wildcard certificate for EAP (wildcards are fine/great for HTTPS).

On Android, there is also a 'domain' field in the configuration, that is where you would put the name (CN/SAN-dns) of your EAP server certificate in. It may help to configure another device first, like a Windows client, make it work and from a working situation find a way to make the other devices working. Please verify that there is no more MD5/SHA-1 in your private CA or EAP server certificate as that is deprecated and some clients may refuse to connect with such weak crypto.

The Access Tracker may provide some additional information in Access Tracker, like 'client: untrusted ca' if the client doesn't trust the CA; but some clients fail silent unfortunately.

Please be aware of the risks running PEAP with 'do not check' on the server certificate; so I would plan to move to TEAP/EAP-TLS or at least enforce the server certificate checking without end-users be able to override an untrusted certificate.

I inherited a wireless network which uses PEAP for authentication and Clearpass for the authentication.  We have all of the clients that we can set to 'do not check' for the server certificate but some androids will not allow this.  What is it checking and what do I need for this to work?

Is it the Radius/EAP, the HTTPS ECC, or the HTTPS RSA or none of the above?  The radius cert is signed by my own CA and I've tried using the root cert from that CA on the client but it will still not join.  My HTTPS RSA cert is signed by a public CA.  Am I missing intermediate certs in the chain or what actually happens?

Any help is greatly appreciated!

Mcfly