Security

Just started a new position as a Network admin in a location that uses Clearpass and Aruba AP's. We have been having an issue with Windows 11 clients connecting saying that the root certificate for this network is invalid. Group policy is set to validate Cert, simply telling it not to check the cert allows 11 to connect, but I would rather make sure the Cert is Solid across everything.
When I compare the Certificates that are in the trust list in clear pass to those that are in the CA I can see that the serial numbers are different. However when I try and import the Current Certs from the CA I get an error saying the Certificate already exists. 
I did notice that the Root CA Cert in the Certificate Store does match the cert of the CA. So I am wondering if because the Root CA cert already exists ion the certificate store page it wont allow me to import it into the trust list. 
OR
Does Clearpass do some sort of Decimal/Hex conversion of the Serial number when it displays it so that it would appear differently between MMC and Clearpass but it is really the same cert?

Hi @CSD8-NetADM,

The RADIUS/EAP Server Certificate must be trusted by the client. The Client (when configured to) will validate this certificate has been signed by a trusted Certificate Authority. So you need to be sure that the Certificate Authority's root certificate exists in the clients Third-Party Root Certificate Authority store (or an alternate relevant store on the client). This can be done via Group Policy.

I have seen cases where the serial number differs on ClearPass as it displays the serial in decimal form where other devices may use hexadecimal, for example. 

Did you sign the ClearPass RADIUS/EAP Server Certificate from a Windows Server CA? Or is the CA chain more complicated than this?
Original Message:
Sent: Jan 10, 2023 09:10 AM
From: Brandon Patterson
Subject: CA Certificates

Just started a new position as a Network admin in a location that uses Clearpass and Aruba AP's. We have been having an issue with Windows 11 clients connecting saying that the root certificate for this network is invalid. Group policy is set to validate Cert, simply telling it not to check the cert allows 11 to connect, but I would rather make sure the Cert is Solid across everything.
When I compare the Certificates that are in the trust list in clear pass to those that are in the CA I can see that the serial numbers are different. However when I try and import the Current Certs from the CA I get an error saying the Certificate already exists.
I did notice that the Root CA Cert in the Certificate Store does match the cert of the CA. So I am wondering if because the Root CA cert already exists ion the certificate store page it wont allow me to import it into the trust list.
OR
Does Clearpass do some sort of Decimal/Hex conversion of the Serial number when it displays it so that it would appear differently between MMC and Clearpass but it is really the same cert?

The EAP Cert has been signed by the Local Windows server CA. I think the Gotcha here is that the RootCA Cert does not exist in the Third party RootCA Store. 
The Root CA Cert is installed in the Trusted Root Certification Authorities Store (Deployed Via GPO) but that wasn't doing the trick. I am going to try and add the RootCA Cert into the third part store and see if that helps
Original Message:
Sent: Jan 10, 2023 08:18 PM
From: ProbeRequest
Subject: CA Certificates

Hi @CSD8-NetADM,

The RADIUS/EAP Server Certificate must be trusted by the client. The Client (when configured to) will validate this certificate has been signed by a trusted Certificate Authority. So you need to be sure that the Certificate Authority's root certificate exists in the clients Third-Party Root Certificate Authority store (or an alternate relevant store on the client). This can be done via Group Policy.

I have seen cases where the serial number differs on ClearPass as it displays the serial in decimal form where other devices may use hexadecimal, for example.

Did you sign the ClearPass RADIUS/EAP Server Certificate from a Windows Server CA? Or is the CA chain more complicated than this?
Original Message:
Sent: Jan 10, 2023 09:10 AM
From: Brandon Patterson
Subject: CA Certificates

Just started a new position as a Network admin in a location that uses Clearpass and Aruba AP's. We have been having an issue with Windows 11 clients connecting saying that the root certificate for this network is invalid. Group policy is set to validate Cert, simply telling it not to check the cert allows 11 to connect, but I would rather make sure the Cert is Solid across everything.
When I compare the Certificates that are in the trust list in clear pass to those that are in the CA I can see that the serial numbers are different. However when I try and import the Current Certs from the CA I get an error saying the Certificate already exists.
I did notice that the Root CA Cert in the Certificate Store does match the cert of the CA. So I am wondering if because the Root CA cert already exists ion the certificate store page it wont allow me to import it into the trust list.
OR
Does Clearpass do some sort of Decimal/Hex conversion of the Serial number when it displays it so that it would appear differently between MMC and Clearpass but it is really the same cert?

I would have thought it would work from the Trusted Root Certification Authorities Store but worth trying the other section to see if that works better. Let us know how you get on.
Original Message:
Sent: Jan 12, 2023 08:55 AM
From: Brandon Patterson
Subject: CA Certificates

The EAP Cert has been signed by the Local Windows server CA. I think the Gotcha here is that the RootCA Cert does not exist in the Third party RootCA Store.
The Root CA Cert is installed in the Trusted Root Certification Authorities Store (Deployed Via GPO) but that wasn't doing the trick. I am going to try and add the RootCA Cert into the third part store and see if that helps
Original Message:
Sent: Jan 10, 2023 08:18 PM
From: ProbeRequest
Subject: CA Certificates

Hi @CSD8-NetADM,

The RADIUS/EAP Server Certificate must be trusted by the client. The Client (when configured to) will validate this certificate has been signed by a trusted Certificate Authority. So you need to be sure that the Certificate Authority's root certificate exists in the clients Third-Party Root Certificate Authority store (or an alternate relevant store on the client). This can be done via Group Policy.

I have seen cases where the serial number differs on ClearPass as it displays the serial in decimal form where other devices may use hexadecimal, for example.

Did you sign the ClearPass RADIUS/EAP Server Certificate from a Windows Server CA? Or is the CA chain more complicated than this?
Original Message:
Sent: Jan 10, 2023 09:10 AM
From: Brandon Patterson
Subject: CA Certificates

Just started a new position as a Network admin in a location that uses Clearpass and Aruba AP's. We have been having an issue with Windows 11 clients connecting saying that the root certificate for this network is invalid. Group policy is set to validate Cert, simply telling it not to check the cert allows 11 to connect, but I would rather make sure the Cert is Solid across everything.
When I compare the Certificates that are in the trust list in clear pass to those that are in the CA I can see that the serial numbers are different. However when I try and import the Current Certs from the CA I get an error saying the Certificate already exists.
I did notice that the Root CA Cert in the Certificate Store does match the cert of the CA. So I am wondering if because the Root CA cert already exists ion the certificate store page it wont allow me to import it into the trust list.
OR
Does Clearpass do some sort of Decimal/Hex conversion of the Serial number when it displays it so that it would appear differently between MMC and Clearpass but it is really the same cert?

Come to find out that the certificate that was deployed by group policy was actually the wrong certificate. 
Interestingly though I manually installed the cert into the store on the testing computer and that did not resolve the issue. 
Deploying the same cert within the group policy fixed the issue.
Original Message:
Sent: Jan 10, 2023 08:18 PM
From: Matthew Sutherland
Subject: CA Certificates

Hi @CSD8-NetADM,

The RADIUS/EAP Server Certificate must be trusted by the client. The Client (when configured to) will validate this certificate has been signed by a trusted Certificate Authority. So you need to be sure that the Certificate Authority's root certificate exists in the clients Third-Party Root Certificate Authority store (or an alternate relevant store on the client). This can be done via Group Policy.

I have seen cases where the serial number differs on ClearPass as it displays the serial in decimal form where other devices may use hexadecimal, for example.

Did you sign the ClearPass RADIUS/EAP Server Certificate from a Windows Server CA? Or is the CA chain more complicated than this?
Original Message:
Sent: Jan 10, 2023 09:10 AM
From: Brandon Patterson
Subject: CA Certificates

Just started a new position as a Network admin in a location that uses Clearpass and Aruba AP's. We have been having an issue with Windows 11 clients connecting saying that the root certificate for this network is invalid. Group policy is set to validate Cert, simply telling it not to check the cert allows 11 to connect, but I would rather make sure the Cert is Solid across everything.
When I compare the Certificates that are in the trust list in clear pass to those that are in the CA I can see that the serial numbers are different. However when I try and import the Current Certs from the CA I get an error saying the Certificate already exists.
I did notice that the Root CA Cert in the Certificate Store does match the cert of the CA. So I am wondering if because the Root CA cert already exists ion the certificate store page it wont allow me to import it into the trust list.
OR
Does Clearpass do some sort of Decimal/Hex conversion of the Serial number when it displays it so that it would appear differently between MMC and Clearpass but it is really the same cert?