Security

 View Only

  • 1.  ClearPass Onboard Certificate Trust issue

    Posted Mar 24, 2025 11:56 AM
    Hello,
    I am posting this message because I am encountering an issue with a client.
    ClearPass environment - OnBoard module
    .
    Following the change of EAP certificates in PolicyManager, the OnBoard module displays an error message: "There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating: Couldn't load ClearPass server certificate. Certificate that signed the server certificate does not exist in the trust list."
    Windows and Android provisioning (via QuickConnect) are no longer functioning.
    The following message is displayed in the browsers: "Could not load ClearPass RADIUS server certificate. Reason: Couldn't load ClearPass server certificate. Certificate that signed the server certificate does not exist in the trust list."
    The EAP certificates come from the same PKI (ROOT/INTERMEDIATE).
    Where could the error be coming from?
    Thank you in advance.


    Mathieu



    ------------------------------
    CyberSec & Network Engineer - ACCX #1532 - ACX-NS - ACMP
    ------------------------------


  • 2.  RE: ClearPass Onboard Certificate Trust issue

    Posted Mar 24, 2025 12:16 PM
    Edited by chulcher Mar 24, 2025 12:18 PM

    When you configure the trust settings in the network settings there is an option for automatic vs manual.

    Haven't seen that in a long time since I've used manual, but I think changing the RADIUS certificate will cause the error you're seeing.

    If this isn't related to what you are seeing, some screenshots would be useful.

    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: ClearPass Onboard Certificate Trust issue

    Posted Mar 24, 2025 12:35 PM
    Edited by mdavid Mar 24, 2025 12:38 PM
    I changed auto to manual but no success :(
    Some screenshots from the config :



    ------------------------------
    CyberSec & Network Engineer - ACCX #1532 - ACX-NS - APC ClearPass - ACMP
    ------------------------------

    Original Message


  • 4.  RE: ClearPass Onboard Certificate Trust issue

    Posted Mar 24, 2025 12:48 PM

    Your RADIUS certificate really shouldn't be different on each appliance, nor should there be an IP address in the SAN.  RADIUS certificate should be a standard single host type of certificate, preferably with a CN/Subject/FQDN that isn't DNS resolvable anywhere on the network.  Use the same certificate on every appliance.

    I've always recommended something like "radius.domain.com" be used.  Do not use the same certificate as you use for HTTPS.  Do not use a self-signed certificate.  If you don't have a separate PKI then you can create a CA on ClearPass and issue a certificate from there for the purpose.

    Those screenshots are useful but I was more meaning pics of the error or error state.  The context of the error message is sometimes more useful than just the text.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 5.  RE: ClearPass Onboard Certificate Trust issue

    Posted Mar 25, 2025 07:23 AM

    Thank you, I will ask the client to generate a new certificate for testing.

    I'll let you know.



    ------------------------------
    CyberSec & Network Engineer - ACCX #1532 - ACX-NS - APC ClearPass - ACMP
    ------------------------------

    Original Message


Related Content