Security

 View Only

  • 1.  Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Mar 04, 2022 08:34 AM
    Edited by iamrj Mar 04, 2022 09:11 AM
    Hi Guys!

    Good Day!

    So our current Radius Certificate is about to expire so we had it renewed and installed it earlier.

    Below are the findings after we installed the renewed certificate.
    • WLAN connections are able to connect to the network
    • LAN connections unable to connect to the network "Unidentified Network"
    • Machines connected via LAN shows a prompt
      • "Can't verify the servers identity".
      • If you're trying to connect to your organization's Ethernet network, go ahead and connect. Continue connecting?
      • When clicked on Connect. Still not able to connect to the network. 
    • Logs for WIFI and LAN at access tracker shows TIMEOUT, Client did not complete EAP transaction


  • 2.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Mar 04, 2022 09:49 PM
    Please open a technical support case with HPE.  There are many reasons why this is not working...

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Mar 07, 2022 07:33 AM
    Other than the valid and expiration dates on the new certificate - did anything else change? Did the root CA change or anything with the root/intermediate certificate?

    The prompt your getting on the LAN indicates the PC is not trusting the RADIUS server, but validating the certificate. Normally (in our case at least), as long as the root certificate is selected in the trust list and the CN matches the server name text box, it will trust the RADIUS server and pass credentials. 

    The EAP timeouts are normal when a certificate is validated but not trusted automatically. The server awaits the credentials, but the device does not send unless manually told to do so with the popup you were seeing. 

    You should be able to compare the security settings on LAN and WLAN to see if something is different between them, it sounds like WLAN is working as expected.

    ------------------------------
    Michael Haring
    ------------------------------



  • 4.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Mar 07, 2022 11:18 AM
    Edited by iamrj Mar 07, 2022 11:20 AM
      |   view attached
    So just an update. We just resolved the issue. 

    The issue was the server name (root) was not selected on the authentication option settings in the wired network adaptor. So need to change on GPO then push the new settings down to the clients. 

    Wireless adaptor doesnt have the authentication option as per  the attached photo. So am not sure if its already selected all the server name (root) or already corrected on the gpo side.


    ------------------------------

    Original Message


  • 5.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Nov 19, 2025 02:48 PM

    Hello,

    What was your resolution to this? We are running into exact same issue. Never in the past we ever had to encounter this, only when renewed Clearpass Server Cert

    Thanks

    -------------------------------------------



  • 6.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Nov 19, 2025 02:57 PM

    This is a old thread, but the resolution is mentioned in the last post.

    The wired 802.1x profile was missing the root CA certificate.

    You should enable certificate validation, provide the name expected to be in the RADIUS certificate and the root certificate for the RADIUS  certificate. 

    As your WLAN 802.1x works, start and update the LAN 802.1x profile with the same settings.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 7.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Nov 19, 2025 03:07 PM
    Edited by AZ245 Nov 19, 2025 03:09 PM

    Thank you Jonas for responding

    Actually we have root cert in the wired and wireless already, has been working for past 2 years.  A week ago* we updated CPPM certificates and now this issue started to happen sporadically.  Once we click continue, connect, it works but randomly that pop up would come again.

    Opened a tac case, they recommended that "checkbox next to root cert" must be selected (root cert is already part of trusted cert in every machine). We are controlling that setting via GPO and have never seen that 'root cert' to be checked off but it has been working throughout, until this week. 

    second recommendation was to re-generate cert from clearpass and link 'server cert' + rootcert, all in 1 file and then upload to clearpass.

    Last recommendation was to regenerate cert using FQDN instead of server IP on clearpass  (never had to do it before) and select "connect to these servers" in windows policy (in the screenshot in previous post) and spell out FQDN..

    I am not confident which one would work or worth the effort.  The only difference now i (apart from new certificate) , we are using WIN11 instead of WIN10 machines.
    (no changes to root cert btw).

    Thank you

    -------------------------------------------

    Original Message


  • 8.  RE: Installed new Radius Certificate, WLAN can connect LAN cannot.

    Posted Nov 20, 2025 02:29 AM

    Windows 11 has different behaviors during certificate validation depending on what version you are running.

    See the following two Microsoft articles regarding 802.1x configuration.

    EAP - What's changed in Windows 11

    Configure EAP profiles and settings in Windows

    Check all configuration and make sure it matches your environment.

    Adding the certificate chain to the RADIUS certificate is a good advice. Either you request a new certificate and add the chain before import, or you can export the certificate in PFX format. Use OpenSSL to convert the PFX to PEM files with the certificate and the private key in separate files. Add the chain to the certificate file and again use OpenSSL to make a PFX. Finally import the edited PFX in ClearPass.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


Related Content