Security

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

Yes, you can override the certificate used for a particular Service.
Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

Hello Herman,

Thanks for you reply.
Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
With iOS 15 and Android 9 no problem at all to do the onboard.
With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

Kind Regards
Fabio
Original Message:
Sent: Aug 02, 2022 03:42 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

MDM >>>>> BYOD 

The exact problem you describe will continue to get worse and both Google and Apple apply more certificate trust security to their devices.  An MDM has now, IMHO, become required for MDM flows to avoid any certificate trust warnings/issues. 
Original Message:
Sent: Aug 03, 2022 04:30 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Herman,

Thanks for you reply.
Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
With iOS 15 and Android 9 no problem at all to do the onboard.
With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

Kind Regards
Fabio
Original Message:
Sent: Aug 02, 2022 03:42 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

MDM is unrealistic for many situations, not least of which being you can only enrol a device in one MDM so it's useless for managed devices that are guests on other wireless networks. The problem is Google has decided not to allow a trust-on-first-use approach like every other vendor.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: Multiple Radius certificate in Clearpass

MDM >>>>> BYOD 

The exact problem you describe will continue to get worse and both Google and Apple apply more certificate trust security to their devices.  An MDM has now, IMHO, become required for MDM flows to avoid any certificate trust warnings/issues. 
Original Message:
Sent: Aug 03, 2022 04:30 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Herman,

Thanks for you reply.
Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
With iOS 15 and Android 9 no problem at all to do the onboard.
With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

Kind Regards
Fabio
Original Message:
Sent: Aug 02, 2022 03:42 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

For secure deployments you would need the client certificate deployed as well to do EAP-TLS. Issues with CPPM Onboard unable to deploy a profile, has in most cases to do with errors in the server certificate, incorrect hostnames, use of HTTP instead of HTTPS. Aruba support should be able to get you going, but make sure before you contact them that you have a publicly trusted certificate for HTTPS on your ClearPass server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 04, 2022 03:41 AM
From: James Andrewartha
Subject: Multiple Radius certificate in Clearpass

MDM is unrealistic for many situations, not least of which being you can only enrol a device in one MDM so it's useless for managed devices that are guests on other wireless networks. The problem is Google has decided not to allow a trust-on-first-use approach like every other vendor.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: Multiple Radius certificate in Clearpass

MDM >>>>> BYOD 

The exact problem you describe will continue to get worse and both Google and Apple apply more certificate trust security to their devices.  An MDM has now, IMHO, become required for MDM flows to avoid any certificate trust warnings/issues. 
Original Message:
Sent: Aug 03, 2022 04:30 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Herman,

Thanks for you reply.
Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
With iOS 15 and Android 9 no problem at all to do the onboard.
With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

Kind Regards
Fabio
Original Message:
Sent: Aug 02, 2022 03:42 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU

Hello Herman,

I have found in the Android forum that since Android 11 it is not possible for an application (like QuickConnect) to install a selfsign CA or a Local CA in the certificate store. That's why the enroll process in quickconnect is so fast and it miss different steps during the profile installation, compare to Android 9.
The workaround that I have found is to install the CA previous to lauch the quickconnect.
I have open a ticket to Aruba and they suggest to use a Public digital certificate (as you said). The customer has a public wildcard that is used for the https guest portal. Problem is that you need a public certificate able to use the key for digital signature, certificate signing. For the guest webpage I have just client authentication and server authentication.

I will verify this last part.

Thanks a lot for your feedback

Kind Regards
Fabio
Original Message:
Sent: Aug 04, 2022 10:22 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

For secure deployments you would need the client certificate deployed as well to do EAP-TLS. Issues with CPPM Onboard unable to deploy a profile, has in most cases to do with errors in the server certificate, incorrect hostnames, use of HTTP instead of HTTPS. Aruba support should be able to get you going, but make sure before you contact them that you have a publicly trusted certificate for HTTPS on your ClearPass server.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 04, 2022 03:41 AM
From: James Andrewartha
Subject: Multiple Radius certificate in Clearpass

MDM is unrealistic for many situations, not least of which being you can only enrol a device in one MDM so it's useless for managed devices that are guests on other wireless networks. The problem is Google has decided not to allow a trust-on-first-use approach like every other vendor.
Original Message:
Sent: Aug 03, 2022 07:38 AM
From: Unknown User
Subject: Multiple Radius certificate in Clearpass

MDM >>>>> BYOD 

The exact problem you describe will continue to get worse and both Google and Apple apply more certificate trust security to their devices.  An MDM has now, IMHO, become required for MDM flows to avoid any certificate trust warnings/issues. 
Original Message:
Sent: Aug 03, 2022 04:30 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Herman,

Thanks for you reply.
Actually we would like to use the Onboard license in order to onboard BYOD device (there is no MDM in the company).
With iOS 15 and Android 9 no problem at all to do the onboard.
With Android 11 and 12 we have an issue during the installation of the Onboarding profile in the device.
The onboarding in the clearpass has been set in Root Mode (radius certificate is provided by CA created inside the Clearpass)
The Smartphone during the autentication will reply to the clearpass with internal error: Instead the iOS is able to install the radius certificate (signed by the internal root ca of the company).

It seems that the Android 11 and 12 does not trust the internal root CA self sign by the Clearpass and the local CA of the company... that's why I was thinking about public ca certificate used as service certificate in a dedicated service rule...

Kind Regards
Fabio
Original Message:
Sent: Aug 02, 2022 03:42 AM
From: Herman Robers
Subject: Multiple Radius certificate in Clearpass

As mentioned, you can use a service certificate for RADIUS in ClearPass. However, you probably shouldn't move to a public certificate for RADIUS. Instead use a provisioning tool like Mobile/Enterprise device management for company managed devices, or ClearPass Onboard for personal managed devices; and use a private CA (not self-signed certs).

Android 11/12 will not trust a public certificate either, unless your users manually find and select the issuing CA which is cumbersome and error-prone.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 29, 2022 03:46 AM
From: Fabio Uguzzoni
Subject: Multiple Radius certificate in Clearpass

Hello Communiy,

I have an issue regarding Android 11 and 12 and the onboarding process. Android it does not trust anymore selfsign/local CA signed certificate. So I should create a Radius certificate on Clearpass signed by a pubblic ca. The problem is that I have already a Radius certificate signed by local CA that allow me to authenticate the pc into the local domain through EAP-TLS.

Do you know if there is a way to let both the radius certificate (the one signed by local CA and the one signed by public CA)?

Kind Regards
FU