we solved the issue. The FQDN of the validation radius servers weren't configured the same as the certificate in ClearPass. After changing this, it worked immediately.
Original Message:
Sent: Jul 12, 2024 03:37 AM
From: Herman Robers
Subject: Intune managed Android devices EAP-TLS cannot validate certificates
Online certificate status refers to OCSP/CRL, not to the server certificate validation (against what is listed under CA Certificate). So it seems you are configured correctly.
If you have space to play/test, you may put a different Root and validate that the device rejects the server certificate. Then you are sure it works like this.
With 802.1X being a L2 (or even below that) protocol, you won't really be able to do OCSP unless OCSP stapling is happening by the server.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 11, 2024 04:10 AM
From: erik.boss
Subject: Intune managed Android devices EAP-TLS cannot validate certificates
Thanks Jonas. I sent it to my colleague. I'll keep in touch
I got some screenshots.
This works, but no certificate validation.
the received user certificate is quite strange but from my colleague this is how Android saves it and uses it.
-------------------------------------------
Original Message:
Sent: Jul 11, 2024 03:59 AM
From: jonas.hammarback
Subject: Intune managed Android devices EAP-TLS cannot validate certificates
Hi Erik
I don't have a specific answer for your issue, but maybe some hints to where the problem can be.
One of my colleauges had a similar issue with one of his customers where Android users couldn't connect, but Windows and iPhone worked fine.
After a lot of troubleshooting it was found that the configuration of the subject name in the SCEP certificate profile contained an initial space. The space was removed by when the username was displayed by ClearPass, but sent as a part of the username to Active Directory.
In your case, verify if you have specified the correct name for the RADIUS certificate in the 802.1x WLAN profile. If I remember correct newer versions of Android, I think from Android 13, require the name of the RADIUS certificate to be specified in the 802.1x profile. This in addition to the CA certificate to trust for the authentication.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jul 11, 2024 03:34 AM
From: erik.boss
Subject: Intune managed Android devices EAP-TLS cannot validate certificates
HI Folks,
I'm having an issue with Android devices, managed in Intune, needing to authenticate with EAP-TLS.
Certificates and configuration profile are on the phone. Authentication will not work. When manually disable validation on the Android it works.
Does anyone know why certificate validation on an Android will not work?
The same setup with IOS and Windows are working great.
When doing authentication, I see in access tracker no Intune check and no certificate is used (certificate validation is on at that moment)
I hope someone can help me out.
Regards,
Erik