06-23-2016 03:33 PM
In the process of migrating from an old ClearPass deployment running 6.2.6 to new one running latest version of 6.6.
For the Corp SSID we're trying to migrate, clients are using EAP-TLS with a domain issued machine certificate to authenticate, with settings controlled by group policy. This is working when authenticating to the old ClearPass appliance.
Trust chain is good, LDAP connection from new ClearPass appliance to the domain controller is working (using this for admin interface auth).
When attempting a connection, Access Tracker is showing the below errors:
RADIUS eap-tls: Error in establishing TLS session
2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed
Has anyone seen this before? Could it be to do with cipher support on the client?
Same behaviour on Windows 7, 8.1, and 10.
06-23-2016 03:36 PM
06-23-2016 04:41 PM
Turns out the error message was caused because I had disabled TLS 1.0 in cluster wide parameters.
If I force a Windows 10 client to use TLS 1.2 via regedit it works.
Based on this MS KB article I thought that ClearPass should be advertising it supports TLS 1.2 and the client should connect using this? (TLS 1.2 is NOT disabled in RADIUS server parameters).