Security

Reply
New Contributor

IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

I have been following the Video Tutorials provided by Herman and i have been able to get my clearpass where it will authenticate both PEAP and TLS Windows AD Clients without any issue.

 

I have moved onto the onboarding and again followed the videos and have been able to successfully onboard a windows client.

 

When i try to authenticate an IOS or OSX device i get an issue about certificates.

 

I am using a CP Hosted Root CA.

 

From what i can see from the profile, the certificates are passed and enabled for trust they just don't connect.

 

In the logs i get an error about 'TLS_accept:error in SSLv3 read client key exchange A'

 

I am not sure what is different, when i search on the error a lot of sites indicate that it is issue with the client not trusting the Root CA certificate but from what i can see the certificate is installed as a trusted root ca.

 

Any advice on how to troubleshoot this.

 

Thanks

Guru Elite

Re: IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

Is your EAP server certificate SHA-2?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

the CA Root Server is SHA512 and the Client Certificates generated from it are SHA512 as well with 2048bit key.

 

The Radius Client Certificate is SHA1 with 2048bit key.

 

i have attached example cert

Guru Elite

Re: IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

Your EAP server certificate needs to be SHA-2 or higher.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

Hi Seic,

 

I think you're doing lab testing with ClearPass Onboard feature, so using SHA-512 is not really an issue. If you plan to implement Onboard in a production environment, using SHA-512 for each client cert may cause serious performance issue. I would go for SHA-256 instead.

 

Thank you,

New Contributor

Re: IOS/OSX Onboard Error, failed in SSLv3 read client certificate A

Hi, I have the same question,Can you tell me the solution?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: