Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

id-kp-eapOverLAN with Active Directory as certificate authority

This thread has been viewed 5 times

  • 1.  id-kp-eapOverLAN with Active Directory as certificate authority

    Posted Aug 05, 2014 02:18 PM

    Hi Everyone,

    I'm getting the id-kp-eapOverLAN error in clearpass, however in my environment the AD certificate server has to be the trusted root authonrity instead of clearpass. Does anyone know how to get that EKU into the certificate issuance process in windows?

    thanks!

     

    Pat



  • 2.  RE: id-kp-eapOverLAN with Active Directory as certificate authority
    Best Answer

    EMPLOYEE
    Posted Aug 05, 2014 02:58 PM

    Go into your certificate templates, duplicate the user template, go to the Extensions tab, click edit, then click Add and then new.

     

    Name: id-kp-eapOverLAN

    OID: 1.3.6.1.5.5.7.3.14

     

    id-kp-windserver.png



  • 3.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    EMPLOYEE
    Posted Aug 05, 2014 03:45 PM

    Does this extension need to be added to the Clearpass server certificate, if it is being signed by an internal pki?



  • 4.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    EMPLOYEE
    Posted Nov 26, 2014 02:33 PM

    Ahhh, back to this old one now.  Turns out it need to be a web server template.

     

    So today we cloned the webserver template and added the extension, but can't seem to get the template to appear in the dropdown to choose when we try to sign the cert.

     

    Is there another step to do to get it to appear in that list, or something else in the properties of the template that needs enabling?

     

     



  • 5.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    Posted Nov 26, 2014 02:46 PM

    Did you issue the new certificate template that you created?



  • 6.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    EMPLOYEE
    Posted Nov 26, 2014 02:48 PM

    unfortunately it wasn't in the list to issue.  The administrator has full rights.



  • 7.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    Posted Nov 26, 2014 02:54 PM

    Usually a replcation issue.  Try forcing replication between your DCs. 



  • 8.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    EMPLOYEE
    Posted Nov 26, 2014 03:10 PM

    There is only on CA issuing server and we're on it.  I found some other suggestions and will report back tomorrow with whatever works.



  • 9.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    Posted Nov 26, 2014 03:38 PM

    Just to clarify, new certificate templates need to replicated to all domain controllers in the forest: http://technet.microsoft.com/en-us/library/cc770794(v=ws.10).aspx

     



  • 10.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    EMPLOYEE
    Posted Dec 05, 2014 11:19 AM

    The issue was that we were browsing to the server and the template was not available.  If we RDP'd onto the server, then launched a browser to https://localhost/certsrv the template was available to choose.

     

    Sometimes the simplest things.



  • 11.  RE: id-kp-eapOverLAN with Active Directory as certificate authority

    Posted Aug 06, 2014 07:16 AM

    great, thank you!

    Michael,

    As I understand it that certificate EKU has to be added for windows 8.1 to work properly with Onboard.