Security

Reply
Highlighted
Occasional Contributor II

EAP-TLS on polycom phone

Hello,

 

I'm in the middle of testing a deployment of dot1x. It works fine for my windows clients, but when I tried to authenticate a polycom phone, I was getting the following message:

 

EAP-TLS: fatal alert by client - unknown_ca
TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
eap-tls: Error in establishing TLS session

 

 

I confirmed that the certificate it has is trusted by the CA. I the thumbprint and serial number match and I can see it's trusted when I import the cert anywhere else. Any suggestions on where to check into this? 


Accepted Solutions
MVP Guru

Re: EAP-TLS on polycom phone

The message: "fatal alert by client - unknown_ca" is 100% clear: the client does not trust the root CA for the RADIUS EAP Certificate that is presented.

 

Such an issue has to be solved in the client. I would double-check the phone configuration, and verify that ClearPass is actually using the certificate signed by the CA that is trusted by the phone. You may be lucky and get additional logs/info in the phone; but at the moment the phone is not trusting the cert that is sent by ClearPass.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post


All Replies
Highlighted

Re: EAP-TLS on polycom phone

[Correction]

 

looks like the client (Polycom) is not trusting the server cert, is the server cert signed by public CA? if not, it should be public and something that Polycom trusts, or you need to remove server cert validation, in the 802.1x configuration.

 

 

-

 

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted
Occasional Contributor II

Re: EAP-TLS on polycom phone

It should trust the CA. I installed it via SCEP (MSCEP/NDES) and I can see that it has the CA cert installed and it recognizes the certificate as a signed CA cert. 

 

Furthermore the ADCS lists it as trusted in it's chain. Is it not transmitting it? 

Highlighted

Re: EAP-TLS on polycom phone

A Pcap from Clearpass, while the authentication is happening would help to see if the transmission is failing or not trusting.

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted
Occasional Contributor II

Re: EAP-TLS on polycom phone

It's definitely sending the certificate. I am getting logs on the CPPM side and I can see radius requests coming in on the PCAP. 

Highlighted
MVP Expert

Re: EAP-TLS on polycom phone

Did you import the RootCA in the ClearPass trust list?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor II

Re: EAP-TLS on polycom phone

Yes I did. I am using this CA already for EAP-TLS in my wireless solution with no issues. 

Highlighted

Re: EAP-TLS on polycom phone

could you please share the capture, something is missing, here.

 

 

--

 

-If you got what you need with my answer please give kudos and mark it as solution.
MVP Guru

Re: EAP-TLS on polycom phone

The message: "fatal alert by client - unknown_ca" is 100% clear: the client does not trust the root CA for the RADIUS EAP Certificate that is presented.

 

Such an issue has to be solved in the client. I would double-check the phone configuration, and verify that ClearPass is actually using the certificate signed by the CA that is trusted by the phone. You may be lucky and get additional logs/info in the phone; but at the moment the phone is not trusting the cert that is sent by ClearPass.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: