Security

We are using Aruba Controller and Clearpass but after updating the certificates in Clearpass some users cannot authenticate and giving them timeout error in Access tracker. In show auth tracebuf It shows that clearpass is asking for credentials but user is not responding that's why the error is always timeout in access tracker.  Clearpass version is 6.6.5.

How can we fix this issue?

What type of users?  Domain machines, iphone, Android...?

What is the authentication, PEAP or TLS?

 

Hi Micheal,

Windows 10 machines using PEAP domain joined are experiencing the problem but not all windows 10 machines because its working in android phones and iphone we just need to forget the ssid and connect again  but for some windows laptops it cannot connect even if we already maniually installed the certificate. The behavior in windows 10 is that when you click connect its just loading. and in clearpass its just timeout even if they use machine authentication its still timeout in clearpass. I've read some article in microsoft i dont know if this still applies. https://support.microsoft.com/en-us/kb/3121002

What certificates did you change?  Do your Windows 10 clients have "Validate Server Certificate" enabled?  Do they also have specific CA's and a specific server specified on the client that they would connect to?

 

Mobile devices are much more accepting and allow the end-user to pretty much accept any mismatch or error, while Windows 10 enforces administrator policies.  The biggest problem with Windows 10 and changing a server certificate is that the client devices need to have that server certificate and the CA that issued the server certificate in their trusted store prior to the certificates being put onto the clearpass server.   You did not give us specific information about what certificates you changed.  You should open a case with Aruba TAC for more specific help since this could effectively cause an outage in your network.

Hi Colin,

I've worked with Aruba TAC in changing certificates and it was escalated to Aruba ERT when some users are experiencing issues and they said that end user needs to do windows update. Im trying to find other resolutions thats why i raise it here. BTW both radius cert and https cert was changed. Thanks

Please post information about your EAP server certificate.

Public CA-signed? Internal CA-signed? Self-signed?

Standard, wildcard, EV?

Hi Tim,
Certificates are self signed from clearpass and its only happening to some users. Aruba ert advised to update windows and were still waiting for the update to finish.

That's likely the issue. You should not use a self-signed certificate as the EAP server certificate.

End user said that they have a public cert in their active directory. So clearpass should have a public certificate? Aruba tac assist me in changing certificates because its expiring. We also use self signed certificate last year.

You should use either a public CA-signed or internal CA-signed cert. Never a self-signed.

So its an issue with the certificate. Aruba tac and ert told us that there will be no problem if we change the certificate users just need to trust it

You should use a public CA-signed certificate if the devices are unmanaged.