Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎05-23-2016

Onboard EAP-TLS Error 215

Hello Community.

 

I try to set up onboarding in my demo Lab. I can provision my device i get a certificate enrolled. When my Client ( iPhone, OSX or Windows) than tries to connect over eap-tls i get an error. 

 

Error Code: 	
215
Error Category: 	
Authentication failure
Error Message: 	
TLS session error
 Alerts for this Request  
RADIUS 	EAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session

In the Logs i get the following error:

 

2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2016-05-31 15:45:19,963 	[Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

I use CPPM as local root CA. I have only self signed certificates. I unchecked under "guest --< Configuration --> Authentication --> Require HTTPS for guest access"

 

In the Onboard --> Network Settings --> Trust is al on automatic. 

I also tried to configure ist manually but i am also not shure what to configure there. 

 

I despair with the onboarding! 

 

I don´t know why i will not work. 

Regards Stefan

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Onboard EAP-TLS Error 215

Stefan,

 

Do yourself a favour and read the ClearPass Certificate 101 technote (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx) and get some trusted certificates at least during testing.

 

Free trusted certificates for lab use are available through Startcom StartSSL (startssl.com) and Let's encrypt (letsencrypt.org).

 

It can be done, Onboarding without trusted certificates, however it will probably be a tough ride if you do not exactly understand what you are doing. The Certificates 101 technote can help you in that understanding.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II
Posts: 13
Registered: ‎05-23-2016

Re: Onboard EAP-TLS Error 215

Hello,

 

I solved the problem. I am not sure wich if my steps solved it ;)

 

I recognized that i had no FQDN under Server Configuration. Than i created a new cert for Radius and HTTPS with the new FQDN as CN and the IP address as SAN. After that i created a new Root CA with the FQDN of the CPPM as Common Name. 

 

Now ist works. 

 

Regards Stefan

 

 

Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Onboard EAP-TLS Error 215

Good job, Stefan!

Filling in the FQDN and using that in the Name field of the CA in Onboard got mine working too!

Thanks for posting this.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: