Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎12-09-2014

RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing certs.

Hi all,

 

I had expring RADIUS certs on a Clearpass server that needed replacing.  Upon placing the new CA signed certs (CA cert is on endpoint and selected in wireless profile for server validation) the access tracker started showing reject entries with error code 215.  The alert for the request showed.

 

RADIUS     EAP-PEAP: fatal alert by client - access_denied
TLS session reuse error

 

I suspect this is happening because client sessions are already established using the old cert.  But I was not seeing any new accept entries coming through (perhaps no new sessions were being attempted due to the late night change window) so was worried that new clients could not associate.

 

How can I have the already associated endpoints restart their EAP session so that they get the new certs?  Do I need to disassociate all of the users forcefully to make this happen or will it happen after a given period?

 

Thanks.  :)

 

Nathan.

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

Is your RADIUS cert public or privately signed?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎12-09-2014

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

It is privatly signed by the AD CA, but it is the same CA cert that signed the first one (they dont expire for 10 years but the IA cert's expire after 2).

 

So we know the client is happy with the cert because it is signed with the same root as the original one.

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

Did you chain the cert prior to import?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎12-09-2014

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

The public and private key imported without errors, and it does show the root ca right below the radius cert.

 

Looks like this.

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1713 (0x6b1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: <REDACTED>
        Validity
            Not Before: Jun  1 05:06:36 2016 GMT
            Not After : Jun  2 05:06:36 2018 GMT
        Subject: <REDACTED>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing
            X509v3 Subject Key Identifier: <REDACTED>:88:6D:68
            X509v3 Authority Key Identifier:
                keyid:<REDACTED>:05:BB:0C
                DirName:<REDACTED> Certification Authority Serial 5/emailAddress=<REDACTED>

            X509v3 Subject Alternative Name:
                <REDACTED>
    Signature Algorithm: sha256WithRSAEncryption
         <REDACTED>

 

 

And root looks like this:


Certificate Details
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: <REDACTED>
        Validity
            Not Before: May 15 03:46:17 2013 GMT
            Not After : May 15 03:46:17 2023 GMT
        Subject: <REDACTED>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <REDACTED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: <REDACTED>:05:BB:0C
            X509v3 Authority Key Identifier:
                keyid: <REDACTED>05:BB:0C
                DirName:<REDACTED>

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         <REDACTED>

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

But did you chain the public key before importing it?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎12-09-2014

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

Would I need to do that if it was signed by the same root as the cert I am replacing?

 

I did not do it because it was the same.  Would this error happen if it was not chained to the public key before importing?

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

Yes. Simply take your public key and open it in a plain text editor. Take the PEM encoded CA cert and add it after the RADIUS cert. Save and then reimport.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎12-09-2014

Re: RADIUS EAP-PEAP: fatal alert by client - access_denied TLS session reuse error when replacing ce

Ok.  Chained the root to it and reimported the certs again.  But still getting same 215 reject.

 

EAP-PEAP: fatal alert by client - access_denied
TLS session reuse erro

Search Airheads
Showing results for 
Search instead for 
Did you mean: