Security

Hello,

We are currently testing Wireless Authentication to our Aruba Instant APs using Clearpass with our mobile devices iOS/Android and have hit a bit of a wall in getting the devices to connect to the corporate network.

We have issued a user certificate to each device from AD CS Certificate Authority via our Workspace One MDM platform and have confirmed issuance of the cert on each device.

When we try to connect to the SSID Clearpass reports the following:

The message: "fatal alert by client - certificate_unknown" means that your client does not trust the ClearPass EAP/RADIUS certificate.

Make sure that the Root CA that issued the ClearPass EAP certificate is added to your client, and also selected/configured as trusted in the client configuration:

This screenshot is for TEAP, but similar for other authentication types.

Hello,

We are currently testing Wireless Authentication to our Aruba Instant APs using Clearpass with our mobile devices iOS/Android and have hit a bit of a wall in getting the devices to connect to the corporate network.

We have issued a user certificate to each device from AD CS Certificate Authority via our Workspace One MDM platform and have confirmed issuance of the cert on each device.

When we try to connect to the SSID Clearpass reports the following:

Hi Herman, Thank you for your response we added the same Root CA to the clearpass server that is also used to issue the user certificates to the mobile devices via our Airwatch MDM platform.

The Radius certificate on the clearpass server used for EAP was also issued by the same certificate authority so I'm not sure what we are missing in our device config.

The Radius authentication works fine with our Windows Laptops which have a device certificate issued by the same Root CA.

Is there anything else I can check ?

The message: "fatal alert by client - certificate_unknown" means that your client does not trust the ClearPass EAP/RADIUS certificate.

Make sure that the Root CA that issued the ClearPass EAP certificate is added to your client, and also selected/configured as trusted in the client configuration:

This screenshot is for TEAP, but similar for other authentication types.

Hello,

We are currently testing Wireless Authentication to our Aruba Instant APs using Clearpass with our mobile devices iOS/Android and have hit a bit of a wall in getting the devices to connect to the corporate network.

We have issued a user certificate to each device from AD CS Certificate Authority via our Workspace One MDM platform and have confirmed issuance of the cert on each device.

When we try to connect to the SSID Clearpass reports the following:

Reading again, the message is 'certificate_unknown', not 'unknown_ca'. It may be the name in 'connect to servers' to not match the RADIUS certificate.

I would manually configure the client and see if you can make it connect, then duplicate the settings in your Intune.

Getting this right may take some effort, but in my experience in the end it's something quite simple that you have overlooked. It may be good to do some troubleshooting with someone else, like your partner or Aruba Support as two see more than one.

Hi Herman, Thank you for your response we added the same Root CA to the clearpass server that is also used to issue the user certificates to the mobile devices via our Airwatch MDM platform.

The Radius certificate on the clearpass server used for EAP was also issued by the same certificate authority so I'm not sure what we are missing in our device config.

The Radius authentication works fine with our Windows Laptops which have a device certificate issued by the same Root CA.

Is there anything else I can check ?

The message: "fatal alert by client - certificate_unknown" means that your client does not trust the ClearPass EAP/RADIUS certificate.

Make sure that the Root CA that issued the ClearPass EAP certificate is added to your client, and also selected/configured as trusted in the client configuration:

This screenshot is for TEAP, but similar for other authentication types.

Hello,

We are currently testing Wireless Authentication to our Aruba Instant APs using Clearpass with our mobile devices iOS/Android and have hit a bit of a wall in getting the devices to connect to the corporate network.

We have issued a user certificate to each device from AD CS Certificate Authority via our Workspace One MDM platform and have confirmed issuance of the cert on each device.

When we try to connect to the SSID Clearpass reports the following: