Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

This thread has been viewed 0 times

  • 1.  CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jun 24, 2014 07:41 AM

    Tried to onboard ipad running ios 7.1 today

    Installed the root CA, which installed but IPAD indicates the root CA is untrusted which kind of defeats the purpose of onboarding.

     

    Anyone else seen this?

     

    Cheers

    P



  • 2.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    EMPLOYEE
    Posted Jun 24, 2014 07:43 AM
    This is normal. The reason you are installing it is to tell the device to trust it.


  • 3.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jun 24, 2014 07:46 AM

    Right

     

    but after it is installed, it still indicates that it is untrusted.

     

    Cheers

    A



  • 4.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    EMPLOYEE
    Posted Jun 24, 2014 07:50 AM
    At what point in the process are you seeing this?


  • 5.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jun 24, 2014 08:00 AM

    pre-provisioning - install root ca certificate

    complains, but I verify it is the certificate I created through the CA creation

     

    the provison profile and client tls certifcate install

     

    then reviewing the profiles in ios general section

     

    both indicate untrusted

     

    eap-tls auth fails

     

    Maybe when I created the CA i selected options not supported by ios 7.1

     

    2048-bit RSA

    sha-256



  • 6.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jun 24, 2014 08:57 AM

    I exported the root ca certs for SHA-256, SHA-224 and SHA-1

     

    imported to ipad ios 7.1

     

    only SHA-1 was trusted

     

    and the algorithms all indicated SHA-1 regardless of the algorithms used to create the CA

     

    alg.JPG

     

    SHA-1 Root CA

     

    trust.JPG

     

    SHA-256 and SHA-224 root CA

     

    untrust.JPG

     

    Funny browsers support SHA-256 but the IOS does not.



  • 7.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    EMPLOYEE
    Posted Jun 24, 2014 09:00 AM

    In your Network settings within Clearpass OnBoard, there is a trust tab.  Is that set to automatic?  On this screen, are there any errors at the top of the screen about iOS and failure for https onboarding?



  • 8.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jun 24, 2014 09:17 AM

    Do you mean the trust tab on the network settings

     

    I have a 3rd party Radius Certificate.

    The only error is with regards to windows 8.1

     

    and according to the CA, no public CA supports this feature

     

    There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating:
    cppm1mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.
    cppm2mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.
    cppm3.mydomain.com: ClearPass RADIUS server certificate lacks id-kp-eapOverLAN extended key usage. This will prevent Windows 8.1 clients from authenticating.

     

    I have used automatic, and when I saw the untrusted root CA, I tried to manually add the Certs as well.

     

    A



  • 9.  RE: CPPM 6.3.3 Onboarding IOS 7.1 Root CA untrusted

    Posted Jul 22, 2014 04:13 PM
    Seth, Any workaround for people with 3rd party RADIUS certificates. Am I going to have to re-onboard all of my devices now? I have to use a self-signed RADIUS cert as opposed to a 3rd party, correct?