Security

Reply
Frequent Contributor II

TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

Hi Guys,

i'm having issue while onboarding. other devices except apple's works fine.

this issue appears after the onboarding process completed and the client attemps to connect with EAP-TLS.

the authentication and enforcement seems to work fine but with an alert causing the user association fails.

this is the alert:

RADIUSEAP-TLS: warning alert by client - close_notify
eap-tls: Error in establishing TLS session

i have seen another thread suggesting to configure the network trust policy to 'manually configure' which i already did but the error still appears.

any suggestion?

 

Ricky Lie

CWNA, ACMP

 

Ricky E. Lee
CWNA | ACMP | ACCP
Guru Elite

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

What version of ClearPass?

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

The error means the client doesn't trust the server cert being presented. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

bump.

i just upgraded the server to 6.5.5.78974 but still same error occurs.

i already set the server trust to manual and input both clearpass and CA server there to be trusted (my cppm server is an intermediate CA server).

this issue only appears on iOS9 either on iPhone5 or iPhone6, iPhone4/5 running iOS8 or lower works well.

anyone got any clue how to fix this?

 

Ricky

Ricky E. Lee
CWNA | ACMP | ACCP
Frequent Contributor II

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

this is the 4 lines showing error in the logs from debugging.

 

2016-01-21 08:44:30,036[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2016-01-21 08:44:30,036[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2016-01-21 08:44:30,036[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
2016-01-21 08:44:30,036[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

Ricky,

Ricky E. Lee
CWNA | ACMP | ACCP
Aruba

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

again this is a client issue where the device does not have the full trust chain installed. There is nothing to do on the CPPM side except make sure you have included the full chain on the mobile device if you onboarded them. Some certs have more than one intermediate certs so you will need to make sure you include all of them.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

Hi Tarnold,

 

could you explain more about: "make sure you have included the full chain on the mobile device if you onboarded them."?

 

is this mean both client and server certificate?

i have 6 clearpass servers where all works as intermediate servers.

 

Ricky

Ricky E. Lee
CWNA | ACMP | ACCP
Aruba Employee

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

Hi Ricky,

 

I believe, Tory was talking about Radius server certificate.

 

Could you share the screen captures of Radius Server certificate and Onboard >> Configuration >> Network Setings >> Trust?

Thank you,
Saravanan Rajagopal


**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Frequent Contributor II

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

Hi Saravanan,

 

attached.

i the name i input there is the root CA. my CPPM acts as intermediate CA.

 

Ricky

 

Ricky E. Lee
CWNA | ACMP | ACCP
Aruba Employee

Re: TLS Auth Issue on iOS: AP-TLS: warning alert by client - close_notify

Hi Ricky,

 

Can you attach the screen capture of ClearPass Radius server certificate(Administration >> Certificates >> Server Certificates), If possible, export the radius server cert and attach it.

 

Can you also try removing the "Trusted Server Names" under Trust and test provisioning the iOS device?

Thank you,
Saravanan Rajagopal


**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the bottom right hand corner of the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: