Security

I have been following the Video Tutorials provided by Herman and i have been able to get my clearpass where it will authenticate both PEAP and TLS Windows AD Clients without any issue.

I have moved onto the onboarding and again followed the videos and have been able to successfully onboard a windows client.

When i try to authenticate an IOS or OSX device i get an issue about certificates.

I am using a CP Hosted Root CA.

From what i can see from the profile, the certificates are passed and enabled for trust they just don't connect.

In the logs i get an error about 'TLS_accept:error in SSLv3 read client key exchange A'

I am not sure what is different, when i search on the error a lot of sites indicate that it is issue with the client not trusting the Root CA certificate but from what i can see the certificate is installed as a trusted root ca.

Any advice on how to troubleshoot this.

Thanks

Attachment(s)

WindowsOnboard.zip   7 KB 1 version

IOSOnboard.zip   7 KB 1 version

Device Provisioning Settings.docx   30 KB 1 version

the CA Root Server is SHA512 and the Client Certificates generated from it are SHA512 as well with 2048bit key.

The Radius Client Certificate is SHA1 with 2048bit key.

i have attached example cert

Attachment(s)

byot.test.zip   1 KB 1 version

Hi Seic,

I think you're doing lab testing with ClearPass Onboard feature, so using SHA-512 is not really an issue. If you plan to implement Onboard in a production environment, using SHA-512 for each client cert may cause serious performance issue. I would go for SHA-256 instead.

Thank you,

Hi, I have the same question,Can you tell me the solution?

Attachment(s)

Request logs for session_ R009803da-02-5a5838ae.zip   3 KB 1 version