Security

Reply
Frequent Contributor I

Re: Windows 8.1 Onboard Support

Yes the error in the event logs in the windoes machine shows that the machine couldn't validate the server certificate but why other systems can do that with no issues ???. and removing the check proves that windows cannot validate that server certificate even though the CA is getting pushed to the machine on the onbaording steps and I have verified it is there !! Also why this is not showing using 1024 key ? am having lots of doubts about this being a clearpass bug, I think it is a windows bug.

And as I remember doing manual trust caused an issue with Andorid devices (faced that in 1 site) and I got a recommendation from Aruba to change it yo auto and it worked after that so test with android as well before making it as a workaround :)
Aruba

Re: Windows 8.1 Onboard Support

Just a quick update.....

 

Engineering is investigating it and if you are running into this issue please contact TAC for a work around and I will post an update later this week.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: Windows 8.1 Onboard Support

Hello Troy,

 

Any updates on this one as I'm running into the same issue ?

 

Many thanks in adavnce,

 

Jan

Highlighted
Aruba

Re: Windows 8.1 Onboard Support

If you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.

 

In 6.3 the radius cert can be signed by CPGuest and the OID support is built in.

 

Windows decided to change the certificate requirements as of 8.1.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: Windows 8.1 Onboard Support

Many thanks for the quick reply !

 

Here is what I got back from the support team:

 

"After onboarding a windows 8.1 device, it silently failing to connect SSID using (EAP-MSCHAPV2). We also replicated the issue in house and found the same. When configuring the client manually with certificate trust settings, client able to connect to SSID. When we remove the option do not validate server certificate (network settings in Onboarding), the windows 8.1 client is able to connect.

 

This defect is resolved in 6.3.1, which is expected to be available by 03/14/14 (tentative)."

 

Best regards,

 

Jan

Regular Contributor I

Re: Windows 8.1 Onboard Support

Is there any update with this?

 

I've generated a CSR for 2048 SHA-1 and signed it with OnBoard. 

 

I'm still getting Windows 8.1 timeouts in CPPM 6.3.3.x. Any thoughts on this? 

Regards,

Josh
___________
ACMP, ACCP
Aruba

Re: Windows 8.1 Onboard Support

Please open a TAC case. I have it running fine at multiple sites. It might be an issue on the wireless, wired or CPPM. The only way to find out is if you debug and look through the logs.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Windows 8.1 Onboard Support

Thanks Troy - i'll contact TAC. Do you know of a way to double check that the SSL cert I generated has the id-kp-eapOverLAN extended key usage?

 

 

Regards,

Josh
___________
ACMP, ACCP
Aruba

Re: Windows 8.1 Onboard Support

If you go to cp guest side to onboard wordspace and click start here it will tell on the page if your cert supports ID-KP-EAPOVERLAN
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: Windows 8.1 Onboard Support

id-kp.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: