Security

Hello,

We have a working setup that all of my certificates are valid and my previous clients can authenticate without a problem in my Aruba Wireless Network. But when clients get new mobile phone it's giving an error in the attachments. I don't know what changed in the client side in brand new phones. Any ideas?

fatal by client - unknown_ca is clear: Your client does not know/trust the root CA that signed the RADIUS/EAP certificate on ClearPass.

What type of RADIUS/EAP certificate have you deployed on ClearPass, as in signed by which CA?

How do you provision your phones for network access? Note that in older Android versions you could ignore the server certificate (which allowed attacks on user credentials), in more recent versions you can no longer ignore the server certifcate for better security. That has as a result that these devices would need more configuration, and tooling for that would be strongly recommended. Tooling could be ClearPass Onboard for non-managed devices, or a Mobile Device Management for managed devices.

Hello,

We have a working setup that all of my certificates are valid and my previous clients can authenticate without a problem in my Aruba Wireless Network. But when clients get new mobile phone it's giving an error in the attachments. I don't know what changed in the client side in brand new phones. Any ideas?

Hello,

Thank you for your answer, we have Radius/ EAP certificate that is signed with Company's Certificate Authority. It's local certificate with the same domain as Clearpass.  For new clients that can not associate with Wireless which type of certififcate we need to use?   

fatal by client - unknown_ca is clear: Your client does not know/trust the root CA that signed the RADIUS/EAP certificate on ClearPass.

What type of RADIUS/EAP certificate have you deployed on ClearPass, as in signed by which CA?

How do you provision your phones for network access? Note that in older Android versions you could ignore the server certificate (which allowed attacks on user credentials), in more recent versions you can no longer ignore the server certifcate for better security. That has as a result that these devices would need more configuration, and tooling for that would be strongly recommended. Tooling could be ClearPass Onboard for non-managed devices, or a Mobile Device Management for managed devices.

Hello,

We have a working setup that all of my certificates are valid and my previous clients can authenticate without a problem in my Aruba Wireless Network. But when clients get new mobile phone it's giving an error in the attachments. I don't know what changed in the client side in brand new phones. Any ideas?

An EAP certificate signed by a private CA (Company CA) should work fine, and is what I would recommend.

However in order for modern Android clients to trust that certificate, you would need to install the Company CA (that signed the EAP certificate) in your client before you can connect to the network, and you would need to trust that. Having an automation tool (mentioned in my previous response) would make that more user friendly, but to verify that is indeed the issue I would configure it manually first.

Hello,

Thank you for your answer, we have Radius/ EAP certificate that is signed with Company's Certificate Authority. It's local certificate with the same domain as Clearpass.  For new clients that can not associate with Wireless which type of certififcate we need to use?   

fatal by client - unknown_ca is clear: Your client does not know/trust the root CA that signed the RADIUS/EAP certificate on ClearPass.

What type of RADIUS/EAP certificate have you deployed on ClearPass, as in signed by which CA?

How do you provision your phones for network access? Note that in older Android versions you could ignore the server certificate (which allowed attacks on user credentials), in more recent versions you can no longer ignore the server certifcate for better security. That has as a result that these devices would need more configuration, and tooling for that would be strongly recommended. Tooling could be ClearPass Onboard for non-managed devices, or a Mobile Device Management for managed devices.

Hello,

We have a working setup that all of my certificates are valid and my previous clients can authenticate without a problem in my Aruba Wireless Network. But when clients get new mobile phone it's giving an error in the attachments. I don't know what changed in the client side in brand new phones. Any ideas?

Yes the EAP Certificate is  signed by a private CA. We manually added the certificate to the client phone but we still get EAP Errors in the below.

We also tried to change the order of the methods but it didn't worked.

An EAP certificate signed by a private CA (Company CA) should work fine, and is what I would recommend.

However in order for modern Android clients to trust that certificate, you would need to install the Company CA (that signed the EAP certificate) in your client before you can connect to the network, and you would need to trust that. Having an automation tool (mentioned in my previous response) would make that more user friendly, but to verify that is indeed the issue I would configure it manually first.

Hello,

Thank you for your answer, we have Radius/ EAP certificate that is signed with Company's Certificate Authority. It's local certificate with the same domain as Clearpass.  For new clients that can not associate with Wireless which type of certififcate we need to use?   

fatal by client - unknown_ca is clear: Your client does not know/trust the root CA that signed the RADIUS/EAP certificate on ClearPass.

What type of RADIUS/EAP certificate have you deployed on ClearPass, as in signed by which CA?

How do you provision your phones for network access? Note that in older Android versions you could ignore the server certificate (which allowed attacks on user credentials), in more recent versions you can no longer ignore the server certifcate for better security. That has as a result that these devices would need more configuration, and tooling for that would be strongly recommended. Tooling could be ClearPass Onboard for non-managed devices, or a Mobile Device Management for managed devices.

Hello,

We have a working setup that all of my certificates are valid and my previous clients can authenticate without a problem in my Aruba Wireless Network. But when clients get new mobile phone it's giving an error in the attachments. I don't know what changed in the client side in brand new phones. Any ideas?