Anyone using clearpass service certificates?

Real soon now we need to replace our certificate. Not only does it expire but . so does the CA chain. As I currently use the CloudPath ExpresConnect ES server to generate client certificates for EAP-TLS eduroam connectivity I thought I'd use CloudPath to generate a new "" cert for use on clearpass instead of the public one currently used.


Rather than wait till the existing cert expired I thought I'd try and test stuff using the clearpass service certificate option So ......


1). Clone our wired 802.1x auth clearpass service and rename

2). Restrict its usage to my test switch by specifying a NAD-IP address

3). Create and upload into clearpass specifying it as a service certificate

4).Edit (1) to add a service certificate of

5). Make sure the local root and intermediate CA certs are in my mac keystore ( which they are as I'm TLS'ing onto the wired network)

6).Force a reauth on my Mac



and the world ends!

In clearpass I get the following, so I'm guessing that the client cannot validate the cert


Is anyone using clearpass service certificates for this sort of thing ?




Error Code:
Error Category:
Authentication failure
Error Message:
TLS session error
 Alerts for this Request 

EAP-TLS: warning alert by client - close_notify
TLS Handshake failed in SSL_read with error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
eap-tls: Error in establishing TLS session



Re: Anyone using clearpass service certificates?

That is definitely a use case for the feature.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Anyone using clearpass service certificates?

Think I've an issue with how I'm configuring the client at the moment

Re: Anyone using clearpass service certificates?

.. and it works


On test switch (ComWare)


client receives a cert of the form,....... local CA chain


and performs eap-tls auth


Connecting iMac to Aruba 2930 switch client receives cert of form .... public CA chain


and still works ... simples ....



Search Airheads
Showing results for 
Search instead for 
Did you mean: