Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard EAP-TLS Error 215

This thread has been viewed 4 times

  • 1.  Onboard EAP-TLS Error 215

    Posted May 31, 2016 10:12 AM

    Hello Community.

     

    I try to set up onboarding in my demo Lab. I can provision my device i get a certificate enrolled. When my Client ( iPhone, OSX or Windows) than tries to connect over eap-tls i get an error. 

     

    Error Code: 	
215
Error Category: 	
Authentication failure
Error Message: 	
TLS session error
 Alerts for this Request  
RADIUS 	EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session

    In the Logs i get the following error:

     

    2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

    I use CPPM as local root CA. I have only self signed certificates. I unchecked under "guest --< Configuration --> Authentication --> Require HTTPS for guest access"

     

    In the Onboard --> Network Settings --> Trust is al on automatic. 

    I also tried to configure ist manually but i am also not shure what to configure there. 

     

    I despair with the onboarding! 

     

    I don´t know why i will not work. 

    Regards Stefan



  • 2.  RE: Onboard EAP-TLS Error 215

    EMPLOYEE
    Posted Jun 06, 2016 03:12 AM

    Stefan,

     

    Do yourself a favour and read the ClearPass Certificate 101 technote (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx) and get some trusted certificates at least during testing.

     

    Free trusted certificates for lab use are available through Startcom StartSSL (startssl.com) and Let's encrypt (letsencrypt.org).

     

    It can be done, Onboarding without trusted certificates, however it will probably be a tough ride if you do not exactly understand what you are doing. The Certificates 101 technote can help you in that understanding.



  • 3.  RE: Onboard EAP-TLS Error 215
    Best Answer

    Posted Jun 06, 2016 03:01 PM

    Hello,

     

    I solved the problem. I am not sure wich if my steps solved it ;)

     

    I recognized that i had no FQDN under Server Configuration. Than i created a new cert for Radius and HTTPS with the new FQDN as CN and the IP address as SAN. After that i created a new Root CA with the FQDN of the CPPM as Common Name. 

     

    Now ist works. 

     

    Regards Stefan

     

     



  • 4.  RE: Onboard EAP-TLS Error 215

    Posted Jul 20, 2016 06:22 PM

    Good job, Stefan!

    Filling in the FQDN and using that in the Name field of the CA in Onboard got mine working too!

    Thanks for posting this.

     



  • 5.  RE: Onboard EAP-TLS Error 215

    EMPLOYEE
    Posted Mar 10, 2018 05:24 PM

    I'v tested, FQDN is not required for lab enviroment.

    You need to add trusted servers:

    Home » Onboard » Configuration » Network Settings » Enterprise Trust

     

    Than in:

    Configure Trusted Servers: Manually configure certificate trusted servers

    Configure Trusted Servers: *.<yours_domain.com>

     

    That is all, works perfect for me.