Security

Reply
Highlighted
MVP Expert

Anyone using clearpass service certificates?

Real soon now we need to replace our radius.york.ac.uk certificate. Not only does it expire but . so does the CA chain. As I currently use the CloudPath ExpresConnect ES server to generate client certificates for EAP-TLS eduroam connectivity I thought I'd use CloudPath to generate a new "radius.york.ac.uk" cert for use on clearpass instead of the public one currently used.

 

Rather than wait till the existing cert expired I thought I'd try and test stuff using the clearpass service certificate option So ......

 

1). Clone our wired 802.1x auth clearpass service and rename

2). Restrict its usage to my test switch by specifying a NAD-IP address

3). Create and upload uoy-radius.york.ac.uk into clearpass specifying it as a service certificate

4).Edit (1) to add a service certificate of uoy-radius.york.ac.uk

5). Make sure the local root and intermediate CA certs are in my mac keystore ( which they are as I'm TLS'ing onto the wired network)

6).Force a reauth on my Mac

 

.....

and the world ends!

In clearpass I get the following, so I'm guessing that the client cannot validate the uoy-radius.york.ac.uk cert

 

Is anyone using clearpass service certificates for this sort of thing ?

 

Rgd

 

Error Code:
215
Error Category:
Authentication failure
Error Message:
TLS session error
 Alerts for this Request 
RADIUS

EAP-TLS: warning alert by client - close_notify
TLS Handshake failed in SSL_read with error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
eap-tls: Error in establishing TLS session

 

Guru Elite

Re: Anyone using clearpass service certificates?

That is definitely a use case for the feature.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Anyone using clearpass service certificates?

Cool!,
Think I've an issue with how I'm configuring the client at the moment
A
MVP Expert

Re: Anyone using clearpass service certificates?

.. and it works

 

On test switch (ComWare)

 

client receives a cert of the form cn=uoy-radius.york.ac.uk,....... local CA chain

 

and performs eap-tls auth

 

Connecting iMac to Aruba 2930 switch client receives cert of form radius.york.ac.uk .... public CA chain

 

and still works ... simples ....

 

A

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: