Security

Reply
Frequent Contributor I
Posts: 84
Registered: ‎09-08-2015

TLS Handshake Failure

Hi Airheads,

 

In the process of migrating from an old ClearPass deployment running 6.2.6 to new one running latest version of 6.6.

 

For the Corp SSID we're trying to migrate, clients are using EAP-TLS with a domain issued machine certificate to authenticate, with settings controlled by group policy. This is working when authenticating to the old ClearPass appliance.

 

Trust chain is good, LDAP connection from new ClearPass appliance to the domain controller is working (using this for admin interface auth).

 

When attempting a connection, Access Tracker is showing the below errors:

 

RADIUS eap-tls: Error in establishing TLS session

 

2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol


2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

 

Has anyone seen this before? Could it be to do with cipher support on the client?

Same behaviour on Windows 7, 8.1, and 10.

Guru Elite
Posts: 8,633
Registered: ‎09-08-2010

Re: TLS Handshake Failure

You can try disabling TLS 1.2 and seeing if the behavior changes.





Administration > Server Manager > Server Configuration > Service Parameters
> RADIUS server > Disable TLS 1.2

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Highlighted
Frequent Contributor I
Posts: 84
Registered: ‎09-08-2015

Re: TLS Handshake Failure

Turns out the error message was caused because I had disabled TLS 1.0 in cluster wide parameters.

 

If I force a Windows 10 client to use TLS 1.2 via regedit it works.

 

Based on this MS KB article I thought that ClearPass should be advertising it supports TLS 1.2 and the client should connect using this? (TLS 1.2 is NOT disabled in RADIUS server parameters).

 

https://support.microsoft.com/en-nz/kb/3121002

Search Airheads
Showing results for 
Search instead for 
Did you mean: