Cloud Managed Networks

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Did you check the section on certificate errors (4.3)? The message EAP-TLS: fatal alert by server - unknown ca means that there is a CA missing from the trust list.

Please check the Issuing CA for the device certificate, and all intermediates up to the root CA. All of them should be in the Trust List, and I would enable them for EAP, RadSec and Others if you have issues. I think only the Issuing CA for the device certificate needs to have EAP (for 802.1X) and/or RadSec (for RadSec) enabled. The intermediates probably can be Other.

I think you are missing probably one CA which may not even be in ClearPass; but first step is to find out what is the CA chain.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

as Herman mentioned, I have a section just for common the Certificate errors, and unknown_ca is one of them, check it out.

Did you check the section on certificate errors (4.3)? The message EAP-TLS: fatal alert by server - unknown ca means that there is a CA missing from the trust list.

Please check the Issuing CA for the device certificate, and all intermediates up to the root CA. All of them should be in the Trust List, and I would enable them for EAP, RadSec and Others if you have issues. I think only the Issuing CA for the device certificate needs to have EAP (for 802.1X) and/or RadSec (for RadSec) enabled. The intermediates probably can be Other.

I think you are missing probably one CA which may not even be in ClearPass; but first step is to find out what is the CA chain.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Hi Ariyap.

I did check the CCA section :-) The problem is, that Clearpass 6.12 does not have correct CA certificates or at least me and TAC engineer can't find them. Names in Issuing CA are correct but serial numbers do not match between Clearpass and APs. I did check for AP-505H, AP-315 and AP-377.

From AP-505H I get this device certificate

It should be enabled in Clearpass, but looks like it's not correct one :-(

Best, Gorazd

as Herman mentioned, I have a section just for common the Certificate errors, and unknown_ca is one of them, check it out.

Did you check the section on certificate errors (4.3)? The message EAP-TLS: fatal alert by server - unknown ca means that there is a CA missing from the trust list.

Please check the Issuing CA for the device certificate, and all intermediates up to the root CA. All of them should be in the Trust List, and I would enable them for EAP, RadSec and Others if you have issues. I think only the Issuing CA for the device certificate needs to have EAP (for 802.1X) and/or RadSec (for RadSec) enabled. The intermediates probably can be Other.

I think you are missing probably one CA which may not even be in ClearPass; but first step is to find out what is the CA chain.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

the device certificate's serial number is unique to that device and should not match the issuer CA's serial number.  note that I used ClearPass 6.11.x 

but I suggest to look at the access tracker session for the failed request input tab -> "computed attributes" and check the Certificate:Issuer-CN field. because the output of the device cert from the AP, could be truncated, (just to be sure), then check of the CA certificate exists and trusted in CP.  

Hi Ariyap.

I did check the CCA section :-) The problem is, that Clearpass 6.12 does not have correct CA certificates or at least me and TAC engineer can't find them. Names in Issuing CA are correct but serial numbers do not match between Clearpass and APs. I did check for AP-505H, AP-315 and AP-377.

From AP-505H I get this device certificate

It should be enabled in Clearpass, but looks like it's not correct one :-(

Best, Gorazd

as Herman mentioned, I have a section just for common the Certificate errors, and unknown_ca is one of them, check it out.

Did you check the section on certificate errors (4.3)? The message EAP-TLS: fatal alert by server - unknown ca means that there is a CA missing from the trust list.

Please check the Issuing CA for the device certificate, and all intermediates up to the root CA. All of them should be in the Trust List, and I would enable them for EAP, RadSec and Others if you have issues. I think only the Issuing CA for the device certificate needs to have EAP (for 802.1X) and/or RadSec (for RadSec) enabled. The intermediates probably can be Other.

I think you are missing probably one CA which may not even be in ClearPass; but first step is to find out what is the CA chain.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Hi @ariyap

After additional testing I finally managed to make it work. It helped to read your troubleshooting several times. It was the last Root CA not enabled for EAP. My bad.

As I need OCSP check to be enabled I did create a new Method with OCSP optional as the final touch that made thing works. I would add/change the method in your instructions to use None or Optional for OCSP checks. 

All in all it was extremely helpful document and discussion. 

Best, Gorazd

the device certificate's serial number is unique to that device and should not match the issuer CA's serial number.  note that I used ClearPass 6.11.x 

but I suggest to look at the access tracker session for the failed request input tab -> "computed attributes" and check the Certificate:Issuer-CN field. because the output of the device cert from the AP, could be truncated, (just to be sure), then check of the CA certificate exists and trusted in CP.  

Hi Ariyap.

I did check the CCA section :-) The problem is, that Clearpass 6.12 does not have correct CA certificates or at least me and TAC engineer can't find them. Names in Issuing CA are correct but serial numbers do not match between Clearpass and APs. I did check for AP-505H, AP-315 and AP-377.

From AP-505H I get this device certificate

It should be enabled in Clearpass, but looks like it's not correct one :-(

Best, Gorazd

as Herman mentioned, I have a section just for common the Certificate errors, and unknown_ca is one of them, check it out.

Did you check the section on certificate errors (4.3)? The message EAP-TLS: fatal alert by server - unknown ca means that there is a CA missing from the trust list.

Please check the Issuing CA for the device certificate, and all intermediates up to the root CA. All of them should be in the Trust List, and I would enable them for EAP, RadSec and Others if you have issues. I think only the Issuing CA for the device certificate needs to have EAP (for 802.1X) and/or RadSec (for RadSec) enabled. The intermediates probably can be Other.

I think you are missing probably one CA which may not even be in ClearPass; but first step is to find out what is the CA chain.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Mandatory, no, but if you have AuthZ enabled on the auth method, then you have to have an auth source that will match the username presented by the device in order for the authorization check to pass.  Disable the AuthZ check in the auth method to avoid that username validation, then run your AuthZ based on something else.  Once upon a time you would use an integration with Activate to download a list of your devices and validate against that, nowadays you might need to register the devices in the Guest Device Repository.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Hi Carson.

Many thx for clear explanation. It confirms my findings :-) I did exactly this. Currently I'm using Local Users database for APs. I did try with Guest Device Repository but somehow it didn't work as expected. Will need to try again. My goal is to use single service for universal ports. Environment is going toward CX only.

Best, Gorazd

Mandatory, no, but if you have AuthZ enabled on the auth method, then you have to have an auth source that will match the username presented by the device in order for the authorization check to pass.  Disable the AuthZ check in the auth method to avoid that username validation, then run your AuthZ based on something else.  Once upon a time you would use an integration with Activate to download a list of your devices and validate against that, nowadays you might need to register the devices in the Guest Device Repository.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.

Frankly, you're better off just registering the devices into the device repository as you're almost guaranteed to need to do a MAC auth at some point and then you've already got things good to go.  All you really care about is that the AP is a device that you intend to have on the network which the MAC address is usually good enough for, at least once you've got the certificate proving the device is authentic.

Hi Carson.

Many thx for clear explanation. It confirms my findings :-) I did exactly this. Currently I'm using Local Users database for APs. I did try with Guest Device Repository but somehow it didn't work as expected. Will need to try again. My goal is to use single service for universal ports. Environment is going toward CX only.

Best, Gorazd

Mandatory, no, but if you have AuthZ enabled on the auth method, then you have to have an auth source that will match the username presented by the device in order for the authorization check to pass.  Disable the AuthZ check in the auth method to avoid that username validation, then run your AuthZ based on something else.  Once upon a time you would use an integration with Activate to download a list of your devices and validate against that, nowadays you might need to register the devices in the Guest Device Repository.

Hi @ariyap

Is it mandatory to use TLS without Auth? 

I did have quite some problems with TPM cert and didn't manage to make it work.

I always receive EAP-TLS: fatal alert by server - unknown ca.

I enabled all Aruba CAs in trusted list on Clearpass (6.12.6). No luck. Even have a TAC case open and response was it is not supported :-(

Best, Gorazd

As part of the Zero Trust model, the goal is to authenticate, authorise and profile every device that connects to the network. To achieve this, we'll use ClearPass to provide authentication for Aruba Access Points (APs).

Aruba APs support 802.1X authentication on their uplinks, and you can choose between EAP-PEAP or EAP-TLS. The recommended and more secure option is EAP-TLS.

In this technote, I'll focus on Aruba AOS10 APs that are managed through Aruba Central. These APs will be authenticated using 802.1X and they will leverage their built-in Trusted Platform Module (TPM) device certificate to perform EAP-TLS authentication when connecting to CX switches.

Hope you'll find it useful and as always please send through your feedback for improvement.