Security

Does anyone know where I need to look to solve this problem?

Issue:

Context:

• New PKI has been set up with root CA and issuing CA
• Issuing CA has issued a certificate to the first test Windows 11 PC
• The root CA cert has been installed in PC's Trusted Root Certification Authorities - Certificates folder
• The issuing CA cert has been installed in PC's Intermediate Certification Authorities - Certificates folder. The root CA cert also shows under here. 
• The CPPM RADIUS server's certificate is issued by a different CA. This different root CA issued the cert directly to ClearPass, and that root CA's certificate has been installed in the PC's trusted root. We are migrating from one CA to another. 
• Root and issuing CA certs have both been installed on ClearPass under Administration -> Certificates -> Trust List, usage is showing as EAP

You must have an issue with the last step... the message EAP-TLS: fatal alert by server - unknown_ca has two important pieces of information:

• The ClearPass server does not trust the client certificate
• Reason for not trusting is that the issuing CA is not trusted by ClearPass (Trust List).

I would double-check that the client certificate that is used by the client (if it has multiple certificates, it may pick the wrong one) and that the Client CA/PKI is added, enabled and has (at least) been enabled for EAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

On the PC under the computer account, it only has 1 certificate. I tried exporting the root and issuing ca certificates out of the PC's client certificate which is an identical copy of the certificate downloaded directly from the CA, and it shows the following:

Original Message:
Sent: Oct 28, 2024 05:05 AM
From: Herman Robers
Subject: Authentication error for EAP-TLS, fatal alert by server - unknown_ca

You must have an issue with the last step... the message EAP-TLS: fatal alert by server - unknown_ca has two important pieces of information:

• The ClearPass server does not trust the client certificate
• Reason for not trusting is that the issuing CA is not trusted by ClearPass (Trust List).

I would double-check that the client certificate that is used by the client (if it has multiple certificates, it may pick the wrong one) and that the Client CA/PKI is added, enabled and has (at least) been enabled for EAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

I found out the computer was using a random User certificate instead of a Machine certificate to connect. After forcing the PC to use the machine certificate to connect which I did through Intune PC configuration policy, it is able to connect successfully. 

Original Message:
Sent: Oct 28, 2024 07:05 AM
From: sh
Subject: Authentication error for EAP-TLS, fatal alert by server - unknown_ca

On the PC under the computer account, it only has 1 certificate. I tried exporting the root and issuing ca certificates out of the PC's client certificate which is an identical copy of the certificate downloaded directly from the CA, and it shows the following:

Any other ideas on where to look next?

Original Message:
Sent: Oct 28, 2024 05:05 AM
From: Herman Robers
Subject: Authentication error for EAP-TLS, fatal alert by server - unknown_ca

You must have an issue with the last step... the message EAP-TLS: fatal alert by server - unknown_ca has two important pieces of information:

• The ClearPass server does not trust the client certificate
• Reason for not trusting is that the issuing CA is not trusted by ClearPass (Trust List).

I would double-check that the client certificate that is used by the client (if it has multiple certificates, it may pick the wrong one) and that the Client CA/PKI is added, enabled and has (at least) been enabled for EAP.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.