Community Feedback

Reply
Highlighted
Occasional Contributor I

WPA2 Enterprise - MS Windows - Auto connect failing - Clearpass ROOT CA Sha1 issue?

Hi


I'm running WPA2 Enterprise, 2 x controllers covering 2 different regions and 1 x Clearpass. AD Group Policy rolling out WPA2 Enterprise settings. Pre-update of certs we had no issues.

 

I updated the Clearpass and controller certs using different provider than GoDaddy as certs expired. New provider ROOT CA Cert is now - AddTrust External CA Root - using Sha1 signature, the clearpass and controller certs are sha256 & greater. Most of the thumbprints across all certs are sha1 which I beleive is Ok. Signature Sha is important though.

Brand new laptops connecting to secure wifi have zero issues. Existing laptops most have issue auto connecting, you get a prompt advising: "If you expect to find company_secure in this location, go ahead and conenct. Otherwise it may be a different network with the same name. Show certificate details". You can then manually connecting, which must be done on each boot.

 

Checking the cert above at connection time shows the Clearpass thumbprint. The cert is verified by client via the AD GP settings which enforce this "which is what you want". If I disable the check you can obviously auto connect without the prompt.

 

So my question is the clearpass & controller server certs are all Sha256 and greater, the intermediate certs (also loaded to servers) are also sha256 and greater the ROOT CA Cert from AddTrust is Sha1 (also loaded to servers) - ROOT CA cert expires 2020. Does the complete chain (including ROOT CA cert) of loaded certificates on Clearpass need to be sha256 or greater?

 

I mention this as Sha1 was deprecated by Microsoft some years ago and this may be why users with existing laptops get the auto connect prompt. Hacking the laptop registry, deleting windows profile files on C: drive, deleting the wifi adapter and combination of all etc. result in very limited 10% chance of resolution. Not sure why fresh new Windows laptops can connect though. Apple devices have no issues.

 

Some similar info can be found in below link but it's not conclusive from this thread if server certs are Sha256 and greater but ROOT CA is Sha1 if this issue manifests:
https://social.technet.microsoft.com/Forums/ie/en-US/92c22e0e-5365-448b-bb25-22fc66d76eb1/wlan-wpa2-enterprise-certificate-message-no-autoconnect?forum=win10itpronetworking

 

I will escalate to TAC if needed.

 

Regards

 

Tony

Guru Elite

Re: WPA2 Enterprise - MS Windows - Auto connect failing - Clearpass ROOT CA Sha1 issue?

Please start with TAC, while others chime in here.  It could be very complicated.  I would guess that you updated the group policy after you installed the certificate and new certificates get the new settings.  Check that the new group policy gets pushed to the old computers, as well. (gpresult)


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: WPA2 Enterprise - MS Windows - Auto connect failing - Clearpass ROOT CA Sha1 issue?

Hi, Sorry for slow response, been on leave.

 

GP already existed and working with a GoDaddy Root & Server cert for clearpass. We changed to a different provider for specific reasons moving to CSC Corp Domains who provided the new certs with AddTrust as root CA. I deployed the RootCA/Intermediate Certs via GP, although the AddTrust already existed and thus became duplicated on the client. Aruba assisted on adding the server cert, Root and Intermediate CA's onto Clearpass. At that point we had some Windows clients with issues having to manually connect. I could fix it by having clients not check the server Clearpass cert by changing the setting in Group Policy, which as you know eradicated the benefit of using certs and verifying the SSID isn't being spoofed. As suggested I'll pursue this with TAC.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: