We're trying to migrate from EAP-PEAP/MSCHAP to either EAP-TLS or TEAP. In my test environment, I'm trying to get my GPO working for both Windows 10 and Windows 11 computers. The issue I'm seeing is that if a Windows10 computer connects, it shows the certificate with the ClearPass FQDN. If a Windows 11 computer connects, it shows the certificate with the VIP IP address instead of the FQDN. If I have certificate validation turned on, I can only get it to work for one of the OS's. Has anyone ran into this?
Always use certificate validation, never disable this; you will open yourself up to MITM attacks.
Definitely want to leave that on, but I don't understand why Windows 10 sees the cert coming from FQDN and Windows 11 sees the cert coming from the VIP?
Are you in compliance with the link I shared? Is the VIP IP in the certificate SAN field? Where exactly are you seeing the VIP and not the IP? Within a certificate warning on the PC?
As far as I can tell, we're in compliance. The cert has the FQDN of VIP and both cluster members as well as the VIP and IPs of each cluster member. On the GPO, I went in and added both FQDN and VIP IP in the "Connect to these servers" box. That seems to fix it, but I'm still stumped why there's a difference between the OS types.
Maybe WIndows 11 is looking at the SAN field and seeing the VIP IP? Typically I don't recommend configuring the "connect only to these servers" what is your use-case for this? IMHO certificate trust should handle that piece.
That's my misunderstanding then, I thought you had to put something there. I'm going to test without it. Thanks!
Yeah its not required, its a "slight" security measure but it makes things like adding/changing RADIUS servers/DNS names really unnecessarily complex
I 'slightly' disagree as this is only true if you can guarantee that nobody else can create a server certificate from any of the trusted CAs in your supplicant configuration. Changing the EAP certificate CN will cause issues on many other platforms, and on Windows you can easily push out an update through GPO or Intune/MDM. For me setting the RADIUS server names is something I have always done, and never let me go, except when I mistyped the name in which case it's even better that the authentication fails.
How does your certificate look like? Which CA issued it? Public? Private? And do you have the same certificate installed on each of your ClearPass servers?
If you didn't get a proper certificate, it may be that Windows 10 shows the CN and Windows 11 shows the first SAN. Following the certificate standards you should have the CN also as the first SAN.
You should not be seeing any certificate if you have your clients properly configured (Group Policy/MDM).
------------------------------Herman Robers------------------------If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.------------------------------
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.