Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Error Code: 215

This thread has been viewed 60 times

  • 1.  Error Code: 215

    Posted May 31, 2017 02:39 PM

    Hi,

    We have installed public certificate on CPPM and trying to authenticate wireless client but we got below alert in access tracker.

     

    Error Code: 215
    EAP-TLS: fatal alert by server - unknown_ca
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

    TLS session error

    I am trying to authenticate from windows 8 OS. The authentication method is configured in client SSID profile is - WPA2-Enterprise + AES.

    Network authentication method - Microsoft smart card or other certificate

    Use a certificate on this computer and validate server certificate are enabled
    Truster root certificate available in Truster root certification authorities list

    Below are the session logs

    2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - --> verify error:num=20:unable to get local issuer certificate
    2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - TLS Alert write:fatal:unknown CA
    2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] INFO RadiusServer.Radius - TLS_accept:error in error
    2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

     

    Can someone plz suggest resolution

     

    Thank you...



  • 2.  RE: Error Code: 215

    EMPLOYEE
    Posted May 31, 2017 02:41 PM
    You mentioned a public certificate. Is that the EAP server certificate or the client certificate?

    It’s likely that your client certificates are signed by an internal CA. Be sure that CA is installed into the client’s root store.


  • 3.  RE: Error Code: 215

    Posted May 31, 2017 02:49 PM

    Hi Cappali,

    I have generated CSR in CPPM and submit to our CA. he has shared public certificate with .p12 format. i imported that certificate in mmc console under - Certificate --> Personal and then export .crt format.

    Then i combine all 3 certificate (Server, Intermidiate and Root) and imported in CPPM.

    At client side root certificate availbale in the wireless profile certificate list.



  • 4.  RE: Error Code: 215

    EMPLOYEE
    Posted May 31, 2017 02:54 PM

    Who is the issuer of the client certificate?



  • 5.  RE: Error Code: 215

    Posted May 31, 2017 03:00 PM

    Radius



  • 6.  RE: Error Code: 215

    EMPLOYEE
    Posted May 31, 2017 03:16 PM
    What is the name of the CA that issued the client certificate? Look in the client certificate at the Issuer.


  • 7.  RE: Error Code: 215

    EMPLOYEE
    Posted Jun 01, 2017 09:47 AM

    Hi,

     

    It might be an issue with your radius certificate, check if you have formed proper certificate chain.Check my old commuinity link

     

    http://community.arubanetworks.com/t5/Network-Management/Analytics-amp-Location-Engine-how-upload-SSL-Certificate/m-p/293559#M6507

     

    Note: Make sure CA root certificate is in client trust list and also in CPPM.

     

    Regards,

    Pavan



  • 8.  RE: Error Code: 215

    Posted Jun 01, 2017 01:54 PM

    Hi,

    As discussed with TAC Engineer, i have configured EAP-TLS method for certificate base client authentication. I have added wireless client certificate into CPPM certificate turst list and now client is successfully authenticated. But at the same time other client are also authenticating even i havent there certificate in trust list.

    In our Juniper SBR we have created client profile and added only selective client host name + certificate Pin and only those clients getting wireless access.

    Can we achieve the same in CPPM.

    Thank you...



  • 9.  RE: Error Code: 215

    EMPLOYEE
    Posted Jun 01, 2017 02:34 PM
    I have added wireless client certificate into CPPM certificate turst list and now client is successfully authenticated. But at the same time other client are also authenticating even i havent there certificate in trust list.

    Typically only the CA that issued the Client Certificate should be in the CPPM trust list, NOT the client certificate.  CPPM would then allow all clients issued by that CA to authenticate.



  • 10.  RE: Error Code: 215

    Posted Jun 02, 2017 05:17 AM

    Hi,

    Requirement is as below

    Each wireless client has a unique certificate and once this certificate is added in the CPPM trust list the client should be able to connect. if the certificate is not added client shoud not be allowed.

     

    Present Challange

    we have added a certificate for one client in CPPM trust list and client is successfully able to authenticate through EAP-TLS however when we try connecting a client whose certificate is not added in CPPM trust list even that client able to connect. This should not be allowed.

    Kindly help me to achieve the requirement



  • 11.  RE: Error Code: 215

    EMPLOYEE
    Posted Jun 02, 2017 05:21 AM

    Again, you typically allow trust via CA, and not individual client.  That is why all clients can authenticate after you add the trust.  Per-Client authorization is typically handled via something like OCSP (https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol) or CRL (Certificate Revocation List) where individual certificates can be revoked.



  • 12.  RE: Error Code: 215

    EMPLOYEE
    Posted Jun 02, 2017 06:55 AM
    You should be rejecting the users via policy.


  • 13.  RE: Error Code: 215

    Posted Jun 03, 2017 08:45 AM
    As discussed with TAC, they had suggested to configure service, remove authentication source, write enforcement policy with below rule sequence...
    Certificate.... Subject-CN.... Equal....(Subject cn name)
    Enforcement profile - Allow all
    I hv added one subject cn name in rule.
    But still same result, non added subject cn clients get authenticated.
    Even i tried to change policy default role as - deny all(so only added subject cn get authenticated)


  • 14.  RE: Error Code: 215

    EMPLOYEE
    Posted Jun 03, 2017 08:48 AM
    This is very difficult to troubleshoot on here. Have you reached out to your Aruba ClearPass partner?


  • 15.  RE: Error Code: 215

    Posted Jun 03, 2017 08:56 AM
    Yes. I reached our partner but he is first time working on this kind of requirements.
    Anyway I will try to troubleshoot this issue with help of TAC and share the result on community.


  • 16.  RE: Error Code: 215

    Posted Nov 22, 2017 12:18 PM

    I am having the same issue. Did you find any solution? I apreciate your help.