Security

Hi all,

 

I had expring RADIUS certs on a Clearpass server that needed replacing.  Upon placing the new CA signed certs (CA cert is on endpoint and selected in wireless profile for server validation) the access tracker started showing reject entries with error code 215.  The alert for the request showed.

 

RADIUS     EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

 

I suspect this is happening because client sessions are already established using the old cert.  But I was not seeing any new accept entries coming through (perhaps no new sessions were being attempted due to the late night change window) so was worried that new clients could not associate.

 

How can I have the already associated endpoints restart their EAP session so that they get the new certs?  Do I need to disassociate all of the users forcefully to make this happen or will it happen after a given period?

 

Thanks.  :)

 

Nathan.

Is your RADIUS cert public or privately signed?

It is privatly signed by the AD CA, but it is the same CA cert that signed the first one (they dont expire for 10 years but the IA cert's expire after 2).

 

So we know the client is happy with the cert because it is signed with the same root as the original one.

Did you chain the cert prior to import?

The public and private key imported without errors, and it does show the root ca right below the radius cert.

 

Looks like this.

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1713 (0x6b1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: <REDACTED>
        Validity
            Not Before: Jun  1 05:06:36 2016 GMT
            Not After : Jun  2 05:06:36 2018 GMT
        Subject: <REDACTED>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing
            X509v3 Subject Key Identifier: <REDACTED>:88:6D:68
            X509v3 Authority Key Identifier:
                keyid:<REDACTED>:05:BB:0C
                DirName:<REDACTED> Certification Authority Serial 5/emailAddress=<REDACTED>

            X509v3 Subject Alternative Name:
                <REDACTED>
    Signature Algorithm: sha256WithRSAEncryption
         <REDACTED>

 

 

And root looks like this:

Certificate Details
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: <REDACTED>
        Validity
            Not Before: May 15 03:46:17 2013 GMT
            Not After : May 15 03:46:17 2023 GMT
        Subject: <REDACTED>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: <REDACTED>:05:BB:0C
            X509v3 Authority Key Identifier:
                keyid: <REDACTED>05:BB:0C
                DirName:<REDACTED>

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         <REDACTED>

But did you chain the public key before importing it?

Would I need to do that if it was signed by the same root as the cert I am replacing?

 

I did not do it because it was the same.  Would this error happen if it was not chained to the public key before importing?

Yes. Simply take your public key and open it in a plain text editor. Take the PEM encoded CA cert and add it after the RADIUS cert. Save and then reimport.

Ok.  Chained the root to it and reimported the certs again.  But still getting same 215 reject.

 

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse erro