05-19-2017 08:16 AM
When trying to confure PEAP-MSCHAPv2 or EAP-TLS I cannot get a successful authentication when I disable TLS1.0 on the cluster-wide settings. upon further investigation it appears clients (Both Mac and Windows) initiate the Server certificate validation (part of EAP) with TLS 1.0, with this disabled in clearpass the request eventually times out. I did find the following registry hack form Microsoft that will fix Windows Boxes (https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows) but there is not fix for MAC (That I am aware of) am I the only one disabling TLS 1.0????
05-19-2017 10:07 AM
05-19-2017 10:53 AM
TLS Handshake failed in SSL_read with error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
eap-tls: Error in establishing TLS session
05-19-2017 11:19 AM
From 6.6.x version , default TLSv1 will be in disabel state, whether to use this version or not is all depend on cusotmer.
If you have any legacy devices, it will use TLSv1 during authentication negotation it is device specific. We need to allow TLSv1 in CPPM for authentication to work , if deivces looking for TLSv1.
05-19-2017 12:43 PM
thanks for the information, since I am configuring CPPM to disable TLS 1.0 does that mean it will not negotiate with the client? what is the release/lifecycle information for 6.3 and 6.6.x ?