09-16-2015 10:55 PM
Today has been a busy day for many of our customers as a new iOS version (Apple’s OS not the other guys) hit millions of mobile devices and their Wi-Fi networks. iOS 9 as well as the upcoming OS X 10.11 release (El Capitan) incorporate new security features that have made several of our ClearPass customers a little nervous, but you'll be glad to know we've been paying close attention.
Back in August, the following advisory was posted indicating the changes that Apple was making to their minimum Diffie-Hellman key exchange group size as well as the addition of TLS 1.2 support in iOS 9 and OS X 10.11.
Advisory: Prepare for enterprise security requirements in iOS 9 and OS X El Capitan
One of the great aspects of the advisory is that our very own ClearPass is mentioned in the section on what ClearPass OS version would be needed to support TLS 1.2. However it seems that receiving that mention created some confusion so I want to set the record straight.
ClearPass 6.3 through 6.5 use a group size of 1024 bits which is Apple’s new minimum. ClearPass 6.2 (released back in 2013) offered a lower group size so in June of this year (when IOS 8.4 and OS X 10.10.4 were released), we provided a hot-fix to avoid any connection issues for customers still running our 6.2 release. Should Apple or any other vendor make a higher group size mandatory in a future OS release, we will again make sure ClearPass is ready.
ClearPass 6.5.2 added support for TLS 1.2 to compliment the existing TLS 1.0 and 1.1 versions we support. Even though iOS 9 added support for TLS 1.2, as will OS X 10.11, our internal testing has validated that Apple didn’t make it mandatory. So devices running iOS 9 and OS X 10.11 will fall back to the earlier TLS versions. What this means is that if your RADIUS server, which I hope is ClearPass if you’re reading this, doesn’t yet have support for TLS 1.2, it does not necessarly mean you’re dead in the water.
In future we’ll make sure to communicate more regarding these types of issues prior to any new device OS release. Sorry for the panic!
ClearPass Product Manager
10-07-2015 03:40 PM
We also got bitten by iOS 9.1 beta this week. It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, the certificate will be missing the "Key Encipherment" key usage flag.
Apparently starting with iOS 9.1, if the RADIUS cert does not contain the "Key Encipherment" flag, iOS will reject authentication with:
Oct 1 11:27:29.752545 TiPadAir2 eapolclient: [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not trusted status 1001 -9807
I hope this information is useful to others!
10-07-2015 07:55 PM
We were running 6.5.1 and as soon as I upgraded to IOS 9, I wasn't able to login on the captive portal for our guest network.
When I replaced the URL with HTTP instead of HTTPS, authentication worked fine.
Now that we upgraded Clearpass to 6.5.3, it's working fine using HTTPS.
I also did a wireshark capture and had lot of TLS 1.2 retransmissions and errors, it was jus unable to complete the credentials transaction when using HTTPS.