Security

Hi Guys,

 

I am a little confuse how this works.

 

I have a controller and ClearPass. Created service Aruba802.1x template and its working with local user database for tests.

 

Works ok with IOS and Android.

When we get to windows it fails to connect saying on tracker EAP-PEAP - fatal alert by client unknown_ca

 

 I see that i don't have a CA on windows network. IS it possible to use one in clearpass?

if not waht should i do ? disable certificates on 802.1x?

 

Sorry , but I am not used to Cpass

 

Regards

That's likely because it's using the self-signed certificate that comes out
of the box.



Do you have an Aruba partner? There is a bit of planning around certs and
authentication methods that should happen before you deploy.

I am the installer.

 

Not the client. We had already installed some with AD and the clients had certificates.

 

This client does not have the CA on windows server, so for this I am a little confused on planning.

 

Do I need a CA ? Can't we just not use clearpass certificate? 

 

Regards

 

Beconnect,

 

What are you trying to configure?

Is it EAP-PEAP or TLS?

Did you install a server certificate on ClearPass?

Did you also install the CA that issued the certificate in Clearpass's trust list?

Does the Windows client have "Validate Server Certificate Enabled"?

 

Here's your options:

 

If you're supporting BYOD devices without Onboard, you'll need to get a publicly signed certificate.

 

If you're supporting only managed clients (Group Policy or Profile Manager/MDM), then you can use a self-signed certificate.

 

If you're using Onboarding for ALL users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

 

If you're using Onboarding for ALL user and doing dual SSID onboard, you can use a self-signed or private RADIUS server cert, but you need a public web server certificate.

 

If you're using Onboarding for some users, and doing single SSID onboard, you'll need a publicly signed RADIUS and web certificate.

 

If you're using Onboarding for some users, and doing dual SSID onboard, you'll need a publicly signed RADIUS and web certificate.

Hi guys,

 

Not using onboard.. no licenses for that.

 

just Clearpass Policy manager.

 

The only thing that I have done, was do the integration of clearpass with Aruba via Aruba technote v1.3integration ( in attached)

 

What I see is that , upon the creation of the service , i suppose no certificate was installed.

 

Should I install one? IS it possible?

 

BYOD is working ok connected via 802.1x and certificate.. Windows not.

 

I only configure the template of service on Clearpass and config the controller reading the technote.

Regards

 

 

 

Yes, you should get a publicly signed SSL certificate.

If you are just testing, uncheck "Validate Server Certificate" on your Windows machine.  Otherwise you should get a public certificate for your server and upload the CA from that public certificate to the trusted list.

Guys,

 

So i should buy a public certificate?

 

install on windows server and upload to the trust list of Clearpas?  I am not using ldap authentication , why do i need the server certificate?

 

atached the config of the clearpass service

 

Sorry for behing so dummy on this

 

Regards

You would do a CSR on ClearPass. Purchase the SSL certificate and upload it to ClearPass as the RADIUS server certificate. You don't need to do anything on a Windows server.

 

Take a look at this slide deck: http://community.arubanetworks.com/t5/Americas-Airheads-Conference/Breakout-Real-world-802-1X-Deployment-Challenges/gpm-p/129211

 

Hi Guys

 

So we need to buy a certificate, even though we are not connecting 802.1x to AD.. Correct?

 

The alternative that is disable the validation in all windows clients is not secure for us or the client

 

To buy it should be like this certifcate? http://comodo.redalia.es/positivessl/

 

Buy and then import to Clearpass correct?

 

Regards

 

 

 

 

 

Yes, that cert will work.

---

@cappalli wrote:

Yes, that cert will work.

---

Hi,

 

Do you know a certificate free for testing purpose?

 

Regards

https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php

---

@cappalli wrote:

https://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php

---

Thanks Capalli ;)

Hi,

 

I am going to issue a free certificate  with Comodo for testing purposes. ( 90 days)

Since I have not yet integrate Clearpass with AD, and for free certificate we need a domain name, what should i do?

 

The domain at the client internal is xx.local , not accepted to free ssl certificates.

 

Could i use the the external xx.pt for issuing the certificate? is going to work for tests?

 

thanks

 

regards

For RADIUS, you can use any DNS name that you want.

If you'd like this cert to also be used for the web GUI of ClearPass, then it should match the DNS name of ClearPass.

Sent from Nine

OK

 

thanks. So if I join Clearpass to AD for later Ad authentication purpose we can use any dns name on the certificate or it should match the . local domain. (clearpass.xx.local)

 

Regards

Well, you'll want to access GUI via a real domain name or you'll get a certificate error. Not a huge deal for admin use but if you end up using guest, you'll need to use a real DNS entry.

Sent from Nine

Always better to use real name I agree.

 

My only dought was because free ssl does not accept .local.

 

I assume that if I buy the certificate .local is fine

 

Thanks

Public CAs will only issue certificates to real domain names that you have
proved that you own.

Bruno,

 

Did you take a read of my CPPM PKI TechNote, a lot of the Q you have are covered in here + a lot more..!!

 

CPPM - Certificates 101 Technote V1.2.pdf

Hi team,

 

I have the Certificate files ( *crt). I need to import them to ClearPass but i did not see any private key file.

 

How can import this ?

 

Regards

If you did a Cert Request on Clearpass, you would have already downloaded the private key file as part of that...

 

Please take a look at the Certificate Technote that Danny wrote and mentioned here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

 

Hi

First let me address to you guys and thank you for or support in this matter. I am not familiarized with certificates and know I have more knowledge on that..

 

Certificate finally OK , tested with local user on the machine and with local SQL DB authentication

 

But when I try to connect to 802.1x Wlan , with AD user logged in, client is using AD credential to try to connect.. Normal behaviour for me..

 

In a AD computer logged in with ad user is it possible to login to WLAN using local user created in clearpass?

 

I know that in a near future we are going to connect against AD repository..

 

Regards

You would need to uncheck "Use Windows credentials" in the Protected EAP settings on the client.

Sent from Nine

Ok.

 

So if we have 50 users we need to change that on client ( one time only correct)?

 

Or do the login with AD source.

 

Thanks

It's a client setting. You could also change it via group policy.

Sent from Nine

Hi Sir,

 

Just a question, what is the use of Root CA created on the OnBoard if will purchase publicly signed Radius and Web Certificate for BYOD Onboard single SSID.

 

Sorry, I am new on ClearPass. Thank you in advance.

The Onboard CA signs client certificates. The HTTPS and EAP certificates are server certificates.