Security

Hello,

I'm in the middle of testing a deployment of dot1x. It works fine for my windows clients, but when I tried to authenticate a polycom phone, I was getting the following message:

I confirmed that the certificate it has is trusted by the CA. I the thumbprint and serial number match and I can see it's trusted when I import the cert anywhere else. Any suggestions on where to check into this? 

[Correction]

looks like the client (Polycom) is not trusting the server cert, is the server cert signed by public CA? if not, it should be public and something that Polycom trusts, or you need to remove server cert validation, in the 802.1x configuration.

-

It should trust the CA. I installed it via SCEP (MSCEP/NDES) and I can see that it has the CA cert installed and it recognizes the certificate as a signed CA cert. 

Furthermore the ADCS lists it as trusted in it's chain. Is it not transmitting it? 

A Pcap from Clearpass, while the authentication is happening would help to see if the transmission is failing or not trusting.

--

It's definitely sending the certificate. I am getting logs on the CPPM side and I can see radius requests coming in on the PCAP. 

Yes I did. I am using this CA already for EAP-TLS in my wireless solution with no issues. 

could you please share the capture, something is missing, here.

--

The message: "fatal alert by client - unknown_ca" is 100% clear: the client does not trust the root CA for the RADIUS EAP Certificate that is presented.

Such an issue has to be solved in the client. I would double-check the phone configuration, and verify that ClearPass is actually using the certificate signed by the CA that is trusted by the phone. You may be lucky and get additional logs/info in the phone; but at the moment the phone is not trusting the cert that is sent by ClearPass.