05-31-2016 07:11 AM
I try to set up onboarding in my demo Lab. I can provision my device i get a certificate enrolled. When my Client ( iPhone, OSX or Windows) than tries to connect over eap-tls i get an error.
Error Code: 215 Error Category: Authentication failure Error Message: TLS session error Alerts for this Request RADIUS EAP-TLS: warning alert by client - close_notify eap-tls: Error in establishing TLS session
In the Logs i get the following error:
2016-05-31 15:45:19,963 [Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify 2016-05-31 15:45:19,963 [Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A 2016-05-31 15:45:19,963 [Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure 2016-05-31 15:45:19,963 [Th 10 Req 2345 SessId R0000015e-01-574d956f] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed
I use CPPM as local root CA. I have only self signed certificates. I unchecked under "guest --< Configuration --> Authentication --> Require HTTPS for guest access"
In the Onboard --> Network Settings --> Trust is al on automatic.
I also tried to configure ist manually but i am also not shure what to configure there.
I despair with the onboarding!
I don´t know why i will not work.
Solved! Go to Solution.
06-06-2016 12:12 AM
Do yourself a favour and read the ClearPass Certificate 101 technote (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx) and get some trusted certificates at least during testing.
Free trusted certificates for lab use are available through Startcom StartSSL (startssl.com) and Let's encrypt (letsencrypt.org).
It can be done, Onboarding without trusted certificates, however it will probably be a tough ride if you do not exactly understand what you are doing. The Certificates 101 technote can help you in that understanding.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
06-06-2016 12:01 PM
I solved the problem. I am not sure wich if my steps solved it ;)
I recognized that i had no FQDN under Server Configuration. Than i created a new cert for Radius and HTTPS with the new FQDN as CN and the IP address as SAN. After that i created a new Root CA with the FQDN of the CPPM as Common Name.
Now ist works.