Aruba Central

Hi  All

As the tile says, I am facing a problem where Clearpass EAP(server) certificate CA
is not supported by latest iOS devices.

My organization is using <ClearPass Guest 6.10.6.186545 [Cloud] on C3000V platform>.

We are providing Wi-FI(WPA2 Enterprise) to our customer with ClearPass as the RADIUS server.
Our authentication method is EAP-PEAP.

Above ClearPass server uses <DigiCert Global Root G2> as a root certificate.
The serial number of this certificate is as follows:
<08:5f:94:c0:2d:85:7b:e8:cc:14:ff:53:ed:a2:3e:2a>

iOS 16 for instance, trusts the same <DigiCert Global Root G2> as a root certificate
but with a different serial number(so a different certificate in the end, validity is different as well).
The serial number of the root Digicert certificate that iOS 16 devices trust is as follows:
<03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5>

I would like to know what can I do to remedy this situation?

Can I, for example, import the latest <DigiCert Global Root G2> certificate in ClearPass?

If yes, what will happens with older iOS devices that still trusts this old <DigiCert Global Root G2>
root certificate?

TIA!

These are two different certificates.

I think you will find here that the certificate you are referencing on the ClearPass server is actually the DigiCert Global G2 TLS RSA SHA256 2020 CA1 certificate. This is an intermediate certificate which signs the server certificate you have installed on ClearPass. The root certificate for this is DigiCert Global Root G2. 

It is likely that you will find the DigiCert Global Root G2 is already in the ClearPass certificate trust store. The serial number should show as 4293743540046975378534879503202253541, which is a decimal conversion from its hex equivalent 33AF1E6A711A9A0BB2864B11D09FAE5.

Something else is going on here. I think I've seen someone else raise an issue with iOS 16 devices and EAP. It might be worth opening a TAC case to see if they can help get to the bottom of the issue with you.
Original Message:
Sent: Jan 19, 2023 05:37 AM
From: fred ellena
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

Hi  All

As the tile says, I am facing a problem where Clearpass EAP(server) certificate CA
is not supported by latest iOS devices.

My organization is using <ClearPass Guest 6.10.6.186545 [Cloud] on C3000V platform>.

We are providing Wi-FI(WPA2 Enterprise) to our customer with ClearPass as the RADIUS server.
Our authentication method is EAP-PEAP.

Above ClearPass server uses <DigiCert Global Root G2> as a root certificate.
The serial number of this certificate is as follows:
<08:5f:94:c0:2d:85:7b:e8:cc:14:ff:53:ed:a2:3e:2a>

iOS 16 for instance, trusts the same <DigiCert Global Root G2> as a root certificate
but with a different serial number(so a different certificate in the end, validity is different as well).
The serial number of the root Digicert certificate that iOS 16 devices trust is as follows:
<03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5>

I would like to know what can I do to remedy this situation?

Can I, for example, import the latest <DigiCert Global Root G2> certificate in ClearPass?

If yes, what will happens with older iOS devices that still trusts this old <DigiCert Global Root G2>
root certificate?

TIA!

Hi ProbeRequest

Thank you for your answer and sorry for the delay with mine.

I could verify that what I thought was the root certificate was in fact a CA intermediate certificate.
I also could verify that this intermediate CA certificate is still supported by Digicert.

I also could verify that DigiCert Global Root G2 is in ClearPass truststore.

So the certificate for our server for the EAP-PEAP authentication
is issued from a valid intermediate CA certificate;
and this intermediate CA certificate is issued from DigiCert Global Root G2 certificate
(which is valid as well).

So it should be valid

As you advised, I think I will open a TAC with ClearPasss.

Again thank you for your input.

Cheers!


Original Message:
Sent: Jan 20, 2023 08:33 AM
From: ProbeRequest
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

These are two different certificates.

I think you will find here that the certificate you are referencing on the ClearPass server is actually the DigiCert Global G2 TLS RSA SHA256 2020 CA1 certificate. This is an intermediate certificate which signs the server certificate you have installed on ClearPass. The root certificate for this is DigiCert Global Root G2.

It is likely that you will find the DigiCert Global Root G2 is already in the ClearPass certificate trust store. The serial number should show as 4293743540046975378534879503202253541, which is a decimal conversion from its hex equivalent 33AF1E6A711A9A0BB2864B11D09FAE5.

Something else is going on here. I think I've seen someone else raise an issue with iOS 16 devices and EAP. It might be worth opening a TAC case to see if they can help get to the bottom of the issue with you.
Original Message:
Sent: Jan 19, 2023 05:37 AM
From: fred ellena
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

Hi  All

As the tile says, I am facing a problem where Clearpass EAP(server) certificate CA
is not supported by latest iOS devices.

My organization is using <ClearPass Guest 6.10.6.186545 [Cloud] on C3000V platform>.

We are providing Wi-FI(WPA2 Enterprise) to our customer with ClearPass as the RADIUS server.
Our authentication method is EAP-PEAP.

Above ClearPass server uses <DigiCert Global Root G2> as a root certificate.
The serial number of this certificate is as follows:
<08:5f:94:c0:2d:85:7b:e8:cc:14:ff:53:ed:a2:3e:2a>

iOS 16 for instance, trusts the same <DigiCert Global Root G2> as a root certificate
but with a different serial number(so a different certificate in the end, validity is different as well).
The serial number of the root Digicert certificate that iOS 16 devices trust is as follows:
<03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5>

I would like to know what can I do to remedy this situation?

Can I, for example, import the latest <DigiCert Global Root G2> certificate in ClearPass?

If yes, what will happens with older iOS devices that still trusts this old <DigiCert Global Root G2>
root certificate?

TIA!

Hi All,

Just for the posterity and somebody in the same situation;

I opened a case with ARUBA TAC and the conclusion is as follows:

-iPhone devices need the infrastructure certificate

 installed via MDM or AppleConfigurator

<https://support.apple.com/en-in/HT204477#:~:text=If%20you%20want%20to%20turn,Mobile%20Device%20Management%20(MDM).>

Cannot installed the cert manually via downloading it from HTTP server.

So, even if your certificate is a legit one signed by a certificate authority,

if you do not install it on the iPhone device, 

"Not Trusted" message will not disappear.

Cheers!

Original Message:
Sent: Jan 25, 2023 12:08 AM
From: fred
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

Hi ProbeRequest

Thank you for your answer and sorry for the delay with mine.

I could verify that what I thought was the root certificate was in fact a CA intermediate certificate.
I also could verify that this intermediate CA certificate is still supported by Digicert.

I also could verify that DigiCert Global Root G2 is in ClearPass truststore.

So the certificate for our server for the EAP-PEAP authentication
is issued from a valid intermediate CA certificate;
and this intermediate CA certificate is issued from DigiCert Global Root G2 certificate
(which is valid as well).

So it should be valid

As you advised, I think I will open a TAC with ClearPasss.

Again thank you for your input.

Cheers!


Original Message:
Sent: Jan 20, 2023 08:33 AM
From: ProbeRequest
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

These are two different certificates.

I think you will find here that the certificate you are referencing on the ClearPass server is actually the DigiCert Global G2 TLS RSA SHA256 2020 CA1 certificate. This is an intermediate certificate which signs the server certificate you have installed on ClearPass. The root certificate for this is DigiCert Global Root G2.

It is likely that you will find the DigiCert Global Root G2 is already in the ClearPass certificate trust store. The serial number should show as 4293743540046975378534879503202253541, which is a decimal conversion from its hex equivalent 33AF1E6A711A9A0BB2864B11D09FAE5.

Something else is going on here. I think I've seen someone else raise an issue with iOS 16 devices and EAP. It might be worth opening a TAC case to see if they can help get to the bottom of the issue with you.
Original Message:
Sent: Jan 19, 2023 05:37 AM
From: fred ellena
Subject: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

Hi  All

As the tile says, I am facing a problem where Clearpass EAP(server) certificate CA
is not supported by latest iOS devices.

My organization is using <ClearPass Guest 6.10.6.186545 [Cloud] on C3000V platform>.

We are providing Wi-FI(WPA2 Enterprise) to our customer with ClearPass as the RADIUS server.
Our authentication method is EAP-PEAP.

Above ClearPass server uses <DigiCert Global Root G2> as a root certificate.
The serial number of this certificate is as follows:
<08:5f:94:c0:2d:85:7b:e8:cc:14:ff:53:ed:a2:3e:2a>

iOS 16 for instance, trusts the same <DigiCert Global Root G2> as a root certificate
but with a different serial number(so a different certificate in the end, validity is different as well).
The serial number of the root Digicert certificate that iOS 16 devices trust is as follows:
<03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5>

I would like to know what can I do to remedy this situation?

Can I, for example, import the latest <DigiCert Global Root G2> certificate in ClearPass?

If yes, what will happens with older iOS devices that still trusts this old <DigiCert Global Root G2>
root certificate?

TIA!