Security

After the iOS device successfully passes the onboarding process is not able to authenticate .

I am able to authenticate with no issues Win7 and Android devices

Cert issue?

Victor,

Based on the error the client isnt trusting either the Root CA, Intermediate or server cert. 

1. what version of CPPM?

2. did you combine the three when you added them into CPPM

3. You might need to change the network settings from auto to Manual on the trust.

Thanks Troy,

1. what version of CPPM? 

6.2.5.60869 

2. did you combine the three when you added them into CPPM

I did

3. You might need to change the network settings from auto to Manual on the trust.

Just tried that but it didnt work maybe I am missing something else

Had the same problem with IOS7 clients only. Turned out to be a trust issue.

"My issue turned out to be a trust issue.

Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

I had selected to automatically configure trust settings.

Even though the cppm ssl certificate included the entire chain this wasn't working properly.

The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

Thanks koenv,

Sorry don't understand this part : 

"Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

Im golden now.

I had to tweeked the different certs.

Thank you Guys

Awesome this solved the issue for me on ver 6.3.1.4 with a godaddy cert which contained two intermediate CA's in the trust chain.  

Chopped up the certs individually, uploaded as trusted cert, and selected manually in network settings as shown below.

Bam.  Thank you!

Hello, 

I have the exact same issue in a lab and a customer environment running CP 6.5.5.78974.

All devices can successfully onboard (windows, android, apple) but an iPhone cannot connect to the secure network. I get the alredy mentioned alert.

I alredy tried automatic and manual trust settings without success.

Looking at the iphone certificate trust list everything looks fine.

Can anyone help?

Thanks in advance.

Jens

The root CA is private Microsoft CA.

Yes, the root CA cert as well as the clearpass cert use 2048 bit keys.

Yes but there is no intermediate cert bedause the clearpass RADIUS cert is direclty issued by the root CA (its a test environment in this case).

The root CA cert as well as the clearpass RADIUS cert are installed and listed in the network config profile. That's why it looks strange to my. 

I also tryed the manual trust listbut the behaviour is the same.

I have found the root cause for the failure. The apple devices (I believe since iOS 8) seems to require the RADIUS server explicitly to be added to the "Trusted Server Names" list otherwise the client rejects the server certificate. (Why couldn't Clearpass just add the CN and subject alternate name (DNS)  from the RADIUS server certificate automatically?)

I assumed that the client would check the common name (CN) but instead I had to add the subject alternat name that has been used in the RADIUS server certificate (DNS:clearpass.networking.hpe.demo). 

Automatically configured trusted server list did not work for some reason.

The "Configure Trust" setting could stay @ automatic. The OnBoard client installed all necessary certificates.

Hope that helps.

Regards,

Jens