Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS Error 215 - MAC OS

This thread has been viewed 23 times

  • 1.  EAP-TLS Error 215 - MAC OS

    Posted Jun 14, 2017 05:25 PM

    Newbie to the forums and product, please excuse the extreme ignorance to follow.

     

    We are trying out CP and have a 802.1x policy that works for all Windows machines thrown at it thus far. However, when I try the same process on a Mac, CP gives me Error Code 215. The alert says:

     

    EAP-TLS: fatal alert by server - handshake_failure
    TLS Handshake failed in SSL_read with error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
    eap-tls: Error in establishing TLS session

     

     

    The RADIUS cert used on CP is from our own PKI. Macs and Windows devices are using the same device certificate template when requesting said cert from the CA.

     

    Any ideas would be most appreciated! Thank you for reading.



  • 2.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 14, 2017 05:36 PM
    Was the cert selected in the initial authentication dialog?


  • 3.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 15, 2017 01:52 PM
      |   view attached

    I believe so. A pop-up appears on the Mac asking for the Identity, at which time I select the 802.1x profile that was pushed to the device. One thing I noticed is that the Device Certificate on the Mac has no Subject. The same CA template is used for Device Certs on PC, which are working fine. So, not sure if that is part of the problem or not. Screenshot attached.



  • 4.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 15, 2017 02:15 PM

    Are the machines domain-joined?



  • 5.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 15, 2017 03:03 PM

    Yes, the Macs and PCs are both domain joined.



  • 6.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 15, 2017 03:05 PM
    How are you handling the certificate enrollment?


  • 7.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 15, 2017 03:07 PM

    Internal PKI - GPO for Windows and Casper for Macs



  • 8.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 19, 2017 04:03 PM

    Looks like our PKI template needed to be adjusted for Mac devices. This has been corrected and now the Mac seems to be happy with the new device certificate. However, CP authentication is still failing. At this point I am thinking it may be because "host/" is missing from the Authentication:Full-Username part of the request. For example, working Windows devices return "host/pcname.domain.com" whereas my Mac is sending back "macname.domain.com". 

     

    Any suggestions would be most appreciated! Thank you for reading.



  • 9.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 19, 2017 04:07 PM
    The supplicant does not append host/ like Windows does. You’ll have to leverage the FQDN.


  • 10.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 19, 2017 04:14 PM

    Would doing so mean that the Service Rule needs to be modified? Sorry, totally new to this product..



  • 11.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 19, 2017 04:21 PM

    Do you have a separate service for machine authentication?



  • 12.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 19, 2017 05:11 PM

    Just one 802.1x service right now, which is for Machine auth.



  • 13.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 19, 2017 05:21 PM
    So you shouldn’t need to change anything. It should authenticate successfully. Is it not?


  • 14.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 19, 2017 06:08 PM

    It is not. Clearpass is telling me User Not Found when it checks AD. That is why I was thinking it was the "host/" prefix.



  • 15.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 19, 2017 09:02 PM
    Under Input in Access Tracker, what is the value for Authentication:Username ?


  • 16.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 19, 2017 09:14 PM

    FQDN of the device



  • 17.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 19, 2017 10:49 PM

    OK, so here's the working combo

     

    Certificate Template

    • Clone the default Computer template, call it "Computer - Mac SPN"
    • Subject Name tab:
      • Subject name format: Fully distinguished name
      • Include Service Principal name (SPN) in alternate subject name
    • Activate the template
    • Change Mac management config profile to reference new template

    mac-machine-certificate-template.png

     

    ClearPass Authentication Methods

    • Create a new EAP method, type EAP-TLS
    • Authorization Required: Enable
    • Certificate Comparison: Compare Subject Alternative Name
    • OCSP configuration varies based on your environment

    ClearPass Service

    • Create a new 802.1X wireless service, call it something to indicate Mac EAP-TLS machine auth.
    • Use the service rules applicable to your enviornment, but add:
      Authentication // Full-Username // ENDS_WITH // $@<your domain>
    • On the Authentication tab, select the EAP-TLS method you just created
    • Select your AD auth source
    • Enable Strip Username Rules with user:@

    mac-machine-auth-service.png

     

    That should work.

     

    You may want to add additional rules that check certificate properties like Subject-DN ENDS_WITH < computer OU >



  • 18.  RE: EAP-TLS Error 215 - MAC OS

    Posted Jun 20, 2017 08:23 AM

    Thank you very much for this. Ignorant question if you don't mind. This looks pretty close to the existing policy for our Windows machines. Do you think the following Service Rules would work if we just modified the PKI template as you suggested? This way we could use the same Service?

    Radius:IETFService-TypeBELONGS_TOLogin-User (1), Framed-User (2), Authenticate-Only (8)


  • 19.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Jun 20, 2017 08:26 AM
    You'll need a separate service for macOS because of the difference in username formats.


  • 20.  RE: EAP-TLS Error 215 - MAC OS

    Posted Dec 02, 2022 12:37 PM
    Is this still the case in 2022? According to Apple best practices (last I heard) binding is a no-go, and Jamf indicates if one is using ADCS that the cert request template should be set to "Supply in the Request." Would this still work and/or are those checkboxes exposed when set to supply in? Thanks!
    Original Message


  • 21.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Dec 05, 2022 04:29 AM
    Unfortunately I don't have a test setup available to check this. I don't see a lot of deployments with AD joined Macs myself either, so it may be hard to get a lot of experience here.

    As long as you get a client certificate on your client, and can extract the username (user authentication) or computer name (machine authentication) to be validated to AD, you should be good.

    How does the username and certificate look like of you follow the best practices? It may be trivial from there to create an AD Authentication source that leverages the CN or other attribute in the certificate to do the lookup. If you don't need the lookup in AD (for authorization attributes because all clients will get the same access/enforcement), but rely on OCSP/CRL for validating that the client certificate is still active/not revoked, you can leave out the Authorization from your EAP-TLS and avoid the lookup at all.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 22.  RE: EAP-TLS Error 215 - MAC OS

    Posted Dec 05, 2022 01:17 PM

    We're not AD-bound, and have in fact experience adverse events when AD-bound (password reset loops, etc). We're not using user auth at all-strictly machine, thus I've had to create placeholder object in AD, manually modifying them with the attributes Aruba seems to be looking for (primarily $servicePrincipalName), because it is authing against AD lookups it seems.




    Original Message


  • 23.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Dec 05, 2022 08:00 PM
    As Herman has suggested you could skip the authorization check against AD. If you are sufficiently happy that a client will only have a certificate for authentication if it is valid then you can validate the certificate itself. Checking against a revocation list by using OSCP would be useful to allow you to revoke certificates in the event that a client is lost/stolen or rogue.
    Original Message


  • 24.  RE: EAP-TLS Error 215 - MAC OS

    EMPLOYEE
    Posted Dec 06, 2022 08:43 AM
    Note that for EAP-TLS there is not actually an authentication against AD, as the client certificate is authenticated on the ClearPass server itself against the EAP enabled CAs in the Trust List.

    If you want to check the object in AD (if you don't care, disable Authorization on the EAP-TLS method and you are done), check the LDAP query that is sent to your AD. By default, the query is:
    (&(sAMAccountName=%{Authentication:Username})(objectClass=user))​

    Which checks the username sent by the client against an object in AD with the sAMAccountName (which is the AD username) and of objectClass=user. If you created another objectClass, or if the sAMAccountName does not match what the client sends as username (check the Username in Access Tracker), there will not be a match. With an LDAP Query tool you could connect to your AD and create a specific query to match the objects that you created for your Macs in AD. You may check this video that explains a modified query to check based on the UPN or User email in AD instead of the sAMAccountName.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message