Security

Reply
New Contributor
Posts: 4
Registered: ‎05-19-2017

PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

CPPM 6.6.5.93247

 

When trying to confure PEAP-MSCHAPv2 or EAP-TLS I cannot get a successful authentication when I disable TLS1.0 on the cluster-wide settings. upon further investigation it appears clients (Both Mac and Windows) initiate the Server certificate validation (part of EAP) with TLS 1.0, with this disabled in clearpass the request eventually times out. I did find the following registry hack form Microsoft that will fix Windows Boxes (https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows) but there is not fix for MAC (That I am aware of) am I the only one disabling TLS 1.0????

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

What is the error on the alerts tab in Access Tracker?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎05-19-2017

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

TLS Handshake failed in SSL_read with error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
eap-tls: Error in establishing TLS session

Aruba Employee
Posts: 508
Registered: ‎02-19-2015

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

Hi,

 

From 6.6.x version , default TLSv1 will be in disabel state, whether to use this version or not is all depend on cusotmer.

 

If you have any legacy devices, it will use TLSv1 during authentication negotation it is device specific. We need to allow TLSv1 in CPPM for authentication to work , if deivces looking for TLSv1.

 

Regards,

Pavan

New Contributor
Posts: 4
Registered: ‎05-19-2017

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

Pavan,

 

 

thanks for the information, since I am configuring CPPM to disable TLS 1.0 does that mean it will not negotiate with the client? what is the release/lifecycle information for 6.3 and 6.6.x ?

 

THX!

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

macOS requires TLS 1.0 to be enabled for EAP.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎05-19-2017

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

Tim,

 

Are there any documents I can reference for that information?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: PEAP or EAP-TLS Server Certificate Validation error on EAP transaction

Ha. It's Apple. 😉

 

Nothing that I know of.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: