Security

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

I checked my client certificates (issued through SCEP from ClearPass Intune Extension) and have Key Usage: Digital Signature, Key Encipherment, Key Agreement (e8 00); and for Enhanced Key Usage only Client Authentication.
In another one (issued by AD), the Enhanced Key Usage is Encrypting Filesystem, Secure Email, and Client Authentication. The Key Usage is there Diginal Signature, Key Encipherment (a0).

Can you try to remove server authentication?
Have you removed the issued certificate and requested a new one after you changed your enrollment parameters?

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

Hi Herman,

My certificate has Digital Signature and Key Encipherment for Key Usage and for Enhanced Key Usage I have Client Authentication and Any Purpose. I did delete the cert from my device and then synced with Intune to pull a new one.

The certs are issued by a private Windows CA and pushed to the device through an Intune SCEP profile. Do I need the Intune Clearpass extension to make this work?

I checked my client certificates (issued through SCEP from ClearPass Intune Extension) and have Key Usage: Digital Signature, Key Encipherment, Key Agreement (e8 00); and for Enhanced Key Usage only Client Authentication.
In another one (issued by AD), the Enhanced Key Usage is Encrypting Filesystem, Secure Email, and Client Authentication. The Key Usage is there Diginal Signature, Key Encipherment (a0).

Can you try to remove server authentication?
Have you removed the issued certificate and requested a new one after you changed your enrollment parameters?

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

No, you would only need the Intune SCEP Extension if you want to enroll from the ClearPass Onboard CA. Certificates from a Windows CA won't run over the Intune SCEP extension.

Just checked internally and found on the message "RSA_verify_PKCS1_PSS_mgf1:last octet invalid", that a Microsoft issue may hit you:
"The particular Cipher Suite RSA_PSS is causing the TLS 1.2 fail with fatal alert during RADIUS processing.

This issue is caused by Microsoft's TPM 2.0 in a specific sub version of this Software application.

Microsoft has concluded that updating this application to a newer version fixes this issue.

Meanwhile as a workaround we can disable TLS 1.2 and force clients to use TLS 1.1. until such update is done."

Are you using the TPM for this certificate?

Hi Herman,

My certificate has Digital Signature and Key Encipherment for Key Usage and for Enhanced Key Usage I have Client Authentication and Any Purpose. I did delete the cert from my device and then synced with Intune to pull a new one.

The certs are issued by a private Windows CA and pushed to the device through an Intune SCEP profile. Do I need the Intune Clearpass extension to make this work?

I checked my client certificates (issued through SCEP from ClearPass Intune Extension) and have Key Usage: Digital Signature, Key Encipherment, Key Agreement (e8 00); and for Enhanced Key Usage only Client Authentication.
In another one (issued by AD), the Enhanced Key Usage is Encrypting Filesystem, Secure Email, and Client Authentication. The Key Usage is there Diginal Signature, Key Encipherment (a0).

Can you try to remove server authentication?
Have you removed the issued certificate and requested a new one after you changed your enrollment parameters?

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

On my SCEP profile in Intune I had the Key storage provider set to "Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP" so looks like TPM was being used. I changed it to "Enroll to Software KSP" and now I am able to connect. I imagine using TPM brings some added security benefits? I'll look into what we need to do to get devices updated, but looks like things are working for now.

Thanks you so much for your help!

No, you would only need the Intune SCEP Extension if you want to enroll from the ClearPass Onboard CA. Certificates from a Windows CA won't run over the Intune SCEP extension.

Just checked internally and found on the message "RSA_verify_PKCS1_PSS_mgf1:last octet invalid", that a Microsoft issue may hit you:
"The particular Cipher Suite RSA_PSS is causing the TLS 1.2 fail with fatal alert during RADIUS processing.

This issue is caused by Microsoft's TPM 2.0 in a specific sub version of this Software application.

Microsoft has concluded that updating this application to a newer version fixes this issue.

Meanwhile as a workaround we can disable TLS 1.2 and force clients to use TLS 1.1. until such update is done."

Are you using the TPM for this certificate?

Hi Herman,

My certificate has Digital Signature and Key Encipherment for Key Usage and for Enhanced Key Usage I have Client Authentication and Any Purpose. I did delete the cert from my device and then synced with Intune to pull a new one.

The certs are issued by a private Windows CA and pushed to the device through an Intune SCEP profile. Do I need the Intune Clearpass extension to make this work?

I checked my client certificates (issued through SCEP from ClearPass Intune Extension) and have Key Usage: Digital Signature, Key Encipherment, Key Agreement (e8 00); and for Enhanced Key Usage only Client Authentication.
In another one (issued by AD), the Enhanced Key Usage is Encrypting Filesystem, Secure Email, and Client Authentication. The Key Usage is there Diginal Signature, Key Encipherment (a0).

Can you try to remove server authentication?
Have you removed the issued certificate and requested a new one after you changed your enrollment parameters?

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance

On my SCEP profile in Intune I had the Key storage provider set to "Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP" so looks like TPM was being used. I changed it to "Enroll to Software KSP" and now I am able to connect. I imagine using TPM brings some added security benefits? I'll look into what we need to do to get devices updated, but looks like things are working for now.

Thanks you so much for your help!

No, you would only need the Intune SCEP Extension if you want to enroll from the ClearPass Onboard CA. Certificates from a Windows CA won't run over the Intune SCEP extension.

Just checked internally and found on the message "RSA_verify_PKCS1_PSS_mgf1:last octet invalid", that a Microsoft issue may hit you:
"The particular Cipher Suite RSA_PSS is causing the TLS 1.2 fail with fatal alert during RADIUS processing.

This issue is caused by Microsoft's TPM 2.0 in a specific sub version of this Software application.

Microsoft has concluded that updating this application to a newer version fixes this issue.

Meanwhile as a workaround we can disable TLS 1.2 and force clients to use TLS 1.1. until such update is done."

Are you using the TPM for this certificate?

Hi Herman,

My certificate has Digital Signature and Key Encipherment for Key Usage and for Enhanced Key Usage I have Client Authentication and Any Purpose. I did delete the cert from my device and then synced with Intune to pull a new one.

The certs are issued by a private Windows CA and pushed to the device through an Intune SCEP profile. Do I need the Intune Clearpass extension to make this work?

I checked my client certificates (issued through SCEP from ClearPass Intune Extension) and have Key Usage: Digital Signature, Key Encipherment, Key Agreement (e8 00); and for Enhanced Key Usage only Client Authentication.
In another one (issued by AD), the Enhanced Key Usage is Encrypting Filesystem, Secure Email, and Client Authentication. The Key Usage is there Diginal Signature, Key Encipherment (a0).

Can you try to remove server authentication?
Have you removed the issued certificate and requested a new one after you changed your enrollment parameters?

So we found that the "unsupported certificate purpose" issue was because we didn't have "Digital Signature" enabled as a key usage in the certificate template. We fixed that but now I'm getting a different error in access tracker:

Google hasn't been very helpful on this error. Have you encountered this one before?

Thanks,

Ok, it was a bit of wild guess that the SAN would be the issue.

Removing the Server Authentication will not change anyting.
But you can do so as long as you are not planning to use the client certificates for services like web servers on the client.
I don't think I have run into any such case in my 25+ years in the business.

If a specific device type need to act as a server the best practice is to have a separate certificate for that purpose.

I'm not 100 per cent sure, but I think an AD integrated CA server only can provide certificates to domain joined computers within the domain, certificates based on CSR without AD connection or to devices and users outside the AD with SCEP/NDES support.

I don't know how it will work if you push certificates with Intune to computers in a sub domain.

We are running version 6.11.2

I changed the SCEP cert profile in Intune so that my cert has a SAN now. That line is no longer in the lines but all the errors are still there.

Should I remove "Server Authentication" from the cert template or is it not hurting anything?

Another thing that crossed my mind - our CA sits at our top level domain but we have two subdomains underneath, one of which is where the Clearpass server is joined. They are in the same forest and have trust. Would that make a difference?

Thanks for your help so far. I may need to find an Intune forum to ask in as well

Hi

What ClearPass version do you have?

The row "certificate does not have X509v3 Subject Altenate Name extension" caught my attention.

Do you have SAN in the client certificates?
The standard states that SAN should be uilized instead of the old attribute common name.

I have not seen if it has been enforced in newer ClearPass versions. But on the other hand, all my customers have certificates with SAN. So I have not encountered such situations.

Client Authentication is enough as usage in a client certificate.

Hi Jonas,

I don't have anything on the Certificate Revocation Lists page.
I am using the built-in EAP-TLS authentication method and the settings for my authentication source are this:

The clearpass server is joined to AD. The Radius certificate is from our internal CA and the root CA is in the trust list. The same root CA is also on the client device

For further reference, here is what I'm seeing in the Access Tracker log:
The "unsupported certificate purpose" has me stumped. The certificate has the Application Policies set to "Client Authentication" and "Server Authentication" which I believe should be sufficient.

Hi Craig

From the error message it looks like the verification of the certificate fails.
Do you have CRL and/or OCSP revocation check and does these checks works on the ClearPass server?

In the EAP-TLS authentication source, do you have the default settings to authorize the certificate user? This only works if you have an Active Directory connected where you can do the authorization. This is worth checking, but it's not the root cause for your issue as the request fails already on the validation of the certificate.

I assume that you have correct trust in ClearPass for the client certificate and vice versa, the client trusts the root CA for the Radius certificate installed in ClearPass.

I am working on setting up Intune to push out certificates to Windows computers that will be used to access a EAP-TLS Wifi network. We set up an NDES server with the Intune connector and then set up a SCEP cert profile in Intune. My laptop has received the certificate from Intune but when I try to join the network Access Tracker gives the alert below:

I followed this guide to set up the NDES server and certificate templates and set the Application Policies to "Client Authentication" and "Server Authentication"

Here is the SCEP profile I configure in Intune:

I've been over all the documentation I can find and can't find where I went wrong. From the error I receive I feel like the issue is with the cert template but if there's anything else I should be looking at I'd appreciate some guidance