Real soon now we need to replace our radius.york.ac.uk certificate. Not only does it expire but . so does the CA chain. As I currently use the CloudPath ExpresConnect ES server to generate client certificates for EAP-TLS eduroam connectivity I thought I'd use CloudPath to generate a new "radius.york.ac.uk" cert for use on clearpass instead of the public one currently used.
Rather than wait till the existing cert expired I thought I'd try and test stuff using the clearpass service certificate option So ......
1). Clone our wired 802.1x auth clearpass service and rename
2). Restrict its usage to my test switch by specifying a NAD-IP address
3). Create and upload uoy-radius.york.ac.uk into clearpass specifying it as a service certificate
4).Edit (1) to add a service certificate of uoy-radius.york.ac.uk
5). Make sure the local root and intermediate CA certs are in my mac keystore ( which they are as I'm TLS'ing onto the wired network)
6).Force a reauth on my Mac
.....
and the world ends!
In clearpass I get the following, so I'm guessing that the client cannot validate the uoy-radius.york.ac.uk cert
Is anyone using clearpass service certificates for this sort of thing ?
Rgd
| Error Code: | 215 |
| Error Category: | Authentication failure |
| Error Message: | TLS session error |
Alerts for this Request | RADIUS | EAP-TLS: warning alert by client - close_notify
TLS Handshake failed in SSL_read with error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
eap-tls: Error in establishing TLS session |
|