Security

Reply
Occasional Contributor I

EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Greetings,

 

I have what seems to be a peculiar issue. We run an Aruba ClearPass VM with two Aruba wireless controllers running in active/passive mode. We also have a good number of 720 AP's that connect to these controllers.

 

We have several SSID's, but the ones affected by this issue authenticate using 802.11x.

 

Last week I was made aware that the RADIUS and HTTP server certificates were expiring. These certificates were real ones issued by third-party CA Symantec. However, instead of renewing them, I was asked to replace the certificates with a wildcard certificate we've been using recently with other gear that needed it. The reason for moving to a wildcard certificate is an obvious one; cheaper to reuse instead of getting individuals.

 

Ever since switching to wildcard certificate, we have Windows wireless clients that can no longer connect. The error logged in ClearPass is the subject of this topic:

 

EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

 

I tried manually installing the wildcard certificate on a test Windows laptop that is affected by this, but it doesn't work. I also went into Group Policy and enabled acceptance of third-party and trusted peer CA's to no avail.

 

Interestingly, I use an Android phone and it connects to the affected SSID without issue. So it seems Windows clients are probably by default not seeking the updated certificate or insist in using the previous, now-outdated certificate as it's the same FQDN hostname, but using a brand new, wildcard certificate instead.

 

Any ideas?

 

Thanks in advance

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Windows doesn't support wildcard cert for 802.1x authentication
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

You cannot use a wildcard certificate as the EAP server certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Sure it does. I implemented the same wildcard certificate on a Cisco ASA VPN concentrator for AnyConnect remote access clients. It works fine.

 

Or are you saying Microsoft PEAP doesn't support wildcard?


Victor Fabian wrote:
Windows doesn't support wildcard cert for 802.1x authentication

 

Occasional Contributor I

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Alright. How can I compel Windows to fetch the updated cert from the ClearPass?

 


cappalli wrote:

You cannot use a wildcard certificate as the EAP server certificate.


 

Guru Elite

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Correct. Microsoft does not accept wildcard certificates as the EAP server certificate as they are generally considered less secure.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Sweet!!!!!

 

So.... My only recourse is self-signed or purchase another real one, right?

 

And if I do self-signed, that will warn everyone that they're potentially accessing an unsafe resource when they connect, no? Or is there a way to supress that?

 

I realize I'm probably asking stupid questions to circumvent intended design, but I do appreciate your insight.

Guru Elite

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Self-signed will require the client to have the certificate installed.

Public will prompt the user to verify the server certificate but they don't have to have it installed.

For these reasons, PEAPv0/EAP-MSCHAPV2 is wildly insecure in unmanaged environments and should be avoided.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

How do you suppose that our Android and iPhone user base can connect without issue?

 

My Android connects as it did before I installed the wildcard cert. I was told that the iPhone prompts to accept the certificate, but it works.

Guru Elite

Re: EAP-PEAP: fatal alert by client - access_denied TLS session reuse error

Like I mentioned, you can use a standaed public certificate and continue using PEAP if you're OK with the security implications.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: