Tuesday, July 13, 2021

Clearpass onboarding trust chain issue

Hey guys,

I'm building out a new onboard setup in clearpass and I'm running into an issue with Mac OS 12 that I was hoping maybe someone else has encountered (though in all honesty, I haven't tried other platforms yet). The services are all built, everything works in policy manager, all good.

In the network settings, I have a wildcard cert trust listed under trusted server names and I have the root CA uploaded in the trusted certificates section. The documentation doesn't specify you need the full chain for the EAP in that section so I'm leaving just the root.

However, the problem I'm seeing is not in regards to the EAP cert, it has to do with the device cert. The device cert is onboarded fine, however the .cer that is downloaded when you go through the onboarding only includes the root CA for device certs and not the signing intermediate so the device cert shows as untrusted.

How can I get onboard to

A) Include the full chain in the profile

B) If A is not possible, include the root and intermediate in the mdps_profile.cer that is downloaded.

Thanks.



No comments:

Post a Comment