Contributor I

Onboard 215 errors

I’m having problems with getting Onboard to work in a two Clearpass cluster with publically signed certs installed for both RADIUS and https.

I’m trying to use Onboard as the root CA.


After provisioning, when the client tries to connect I get this error in Access Tracker:


Error Code: 215

Error Category: Authentication failure

Error Message: TLS session error

 Alerts for this Request 

RADIUS            Certificate Status unknown, Reason (UNKNOWN)

EAP-TLS: fatal alert by server - internal_error

TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed

eap-tls: Error in establishing TLS session


Is this a clue?

My Clearpass server is joined to an AD domain ending in “.local” but the public cert, obviously, does not have this ‘local’ address . Therefore the hostname and FQDN of the clearpass server match what’s in AD, not what’s on the public cert.


Both the and clearpass.local have entries in the internal DNS server that the client uses. Clients do not get browser errors when browsing to


Does the FQDN set in Clearpass and the public certificate name need to match? I’m hoping the answer to that is “no.”


Any other ways to track down the reason for the 215 errors?


Thank you.






Contributor I

Re: Onboard 215 errors

Once again, problem discovered soon after posting to the world... :-)


The template used to create the services added

[EAP-TLS with OCSP Enabled] as an authentication method.

For some reason, that method had a hard coded OCSP URL in it (did I do that, or does it come that way?)


Anyway, making a new Authentication method of EAP TLS with OCSP with no OSCP URL override has things working.


Thank you!


Search Airheads
Showing results for 
Search instead for 
Did you mean: