Security

Reply
Frequent Contributor II
Posts: 184
Registered: ‎04-17-2013

Error Code: 215

Hi,

We have installed public certificate on CPPM and trying to authenticate wireless client but we got below alert in access tracker.

 

Error Code: 215
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session

TLS session error

I am trying to authenticate from windows 8 OS. The authentication method is configured in client SSID profile is - WPA2-Enterprise + AES.

Network authentication method - Microsoft smart card or other certificate

Use a certificate on this computer and validate server certificate are enabled
Truster root certificate available in Truster root certification authorities list

Below are the session logs

2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - --> verify error:num=20:unable to get local issuer certificate
2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - TLS Alert write:fatal:unknown CA
2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] INFO RadiusServer.Radius - TLS_accept:error in error
2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
2017-05-31 18:22:18,949[Th 42 Req 394 SessId R0000004b-01-592ebc82] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

 

Can someone plz suggest resolution

 

Thank you...

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Error Code: 215

You mentioned a public certificate. Is that the EAP server certificate or the client certificate?

It’s likely that your client certificates are signed by an internal CA. Be sure that CA is installed into the client’s root store.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 184
Registered: ‎04-17-2013

Re: Error Code: 215

Hi Cappali,

I have generated CSR in CPPM and submit to our CA. he has shared public certificate with .p12 format. i imported that certificate in mmc console under - Certificate --> Personal and then export .crt format.

Then i combine all 3 certificate (Server, Intermidiate and Root) and imported in CPPM.

At client side root certificate availbale in the wireless profile certificate list.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Error Code: 215

Who is the issuer of the client certificate?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 184
Registered: ‎04-17-2013

Re: Error Code: 215

Radius

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Error Code: 215

What is the name of the CA that issued the client certificate? Look in the client certificate at the Issuer.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 508
Registered: ‎02-19-2015

Re: Error Code: 215

Hi,

 

It might be an issue with your radius certificate, check if you have formed proper certificate chain.Check my old commuinity link

 

http://community.arubanetworks.com/t5/Network-Management/Analytics-amp-Location-Engine-how-upload-SSL-Certificate/m-p/293559#M6507

 

Note: Make sure CA root certificate is in client trust list and also in CPPM.

 

Regards,

Pavan

Frequent Contributor II
Posts: 184
Registered: ‎04-17-2013

Re: Error Code: 215

Hi,

As discussed with TAC Engineer, i have configured EAP-TLS method for certificate base client authentication. I have added wireless client certificate into CPPM certificate turst list and now client is successfully authenticated. But at the same time other client are also authenticating even i havent there certificate in trust list.

In our Juniper SBR we have created client profile and added only selective client host name + certificate Pin and only those clients getting wireless access.

Can we achieve the same in CPPM.

Thank you...

Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Error Code: 215


I have added wireless client certificate into CPPM certificate turst list and now client is successfully authenticated. But at the same time other client are also authenticating even i havent there certificate in trust list.

Typically only the CA that issued the Client Certificate should be in the CPPM trust list, NOT the client certificate.  CPPM would then allow all clients issued by that CA to authenticate.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 184
Registered: ‎04-17-2013

Re: Error Code: 215

Hi,

Requirement is as below

Each wireless client has a unique certificate and once this certificate is added in the CPPM trust list the client should be able to connect. if the certificate is not added client shoud not be allowed.

 

Present Challange

we have added a certificate for one client in CPPM trust list and client is successfully able to authenticate through EAP-TLS however when we try connecting a client whose certificate is not added in CPPM trust list even that client able to connect. This should not be allowed.

Kindly help me to achieve the requirement

Search Airheads
Showing results for 
Search instead for 
Did you mean: