Security

Hey guys, I just migrated our radius from an NPS server to clearpass and I'm having some weird certificate issues. We purchased an SSL certificate from Symantec and I created a .pem and imported the intermediate and root CA. We have a cluster with a vIP so all 3 hostnames are in the certificate via SANs. When I look at the certificate it looks great, and everything works except OSX clients get a prompt to verify the certificate everytime you connect. IOS, Android and Windows machines connect no problem.

 

If you click continue it lets you connect, but its kind of annoying to have to do everytime. Not sure why I would have this issue with a commercial cert.  If you click show Certificiate there is a checkbox that says "always trust" but it still prompts everytime. 

 

Any Ideas? 

 

This is a normal process during an EAP-PEAP authentication. The only way to get around this is to preconfigure clients either manually or with a tool like QuickConnect.

 

You only have to accept the certificate once per SSID (or if you are using different certificates on each RADIUS server, once per RADIUS server).

 

There are many posts on this topic.

The problem is that OSX clients are getting prompted and have to click continue everytime they connect. No other clients seem to have this problem and I've deployed CPPM for several other customers and don't remember ever having this problem. 

Are the users being prompted for their local account credentials after clicking accept?

 

What version of OS X?

 

What is the root CA?

 

Is it the same root CA that signed your NPS cert?

I'm not sure about the OS Versions but I am on 10.10.2 Yosemite and I experience the "verify certificate" prompt issue. 

 

The first time I connect edit asked for local credientials to add the cert to the keychain and there is a checkbox for "always trust". That was all expected, however now everytime I connect it asks to verify certificate, if I click continue it lets me connect no problem. I'm worried about this prompt causing some confusion with our customer and I can't figure out why I'm getting this behavior. 

The root CA I think it used to be verisign and now its symantec so not signed by the same company but sorta since they purchased them. If that makes sense? I imported the one that verisign suggested when I got the cert. 

That is strange as I would expect the root cert would already be trusted in the System Keychain. I'll ask my Mac support guy the next time I see him and see if I can find something out.

That root CA is included with OS X.



After clicking accept and connecting, can you check the Keychain and see if
the RADIUS cert is listed and trusted?

Yes the cert is showing up in my keychain and is set to always trust. 

Extension: BasicConstraint (critical)

CA:FALSE

Server certificates need to be marked as not being a CA. Omitting the BasicConstraint:CA totally is known to cause certificate validation to fail with; setting it to TRUE is a security issue in itself. Always set the BasicConstraint "CA" to false, and mark the extension as critical.

 

A co-worker found this in the certificate we migrated to, not sure about a fix yet.

 

 

 

Robert,

 

Are you using Onboard, and are you doing it for corporate-owned devices or guest devices or both? 

 

Swack

This network is BYOD supported so some devices are managed and some are not. The configuration is pretty close to how NPS was setup, just with a new certificate. With NPS we never got prompted after the first connection.