Wireless Access

Reply

CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

Hi Airheads,

Good Morning,

 

One of my clients is trying to configure CPPM to work 802.1x wireless with- EAP Fast -with Avaya 6140 phones.

my issue is that he keeps getting an error:

Capture.PNG

 

Request log details for session: R00380708-57-5382f828

Time Message

2014-05-26 11:15:36,931[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 228:232:00-90-7a-0c-34-a5
2014-05-26 11:15:36,934[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888858 h=607 r=R00380708-57-5382f828] INFO Core.ServiceReqHandler - Service classification result = RA_EAP_FAST_wifi
2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RA_EAP_FAST_wifi"
2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_eap_fast: Initiate
2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 228:96:00-90-7a-0c-34-a5:0x0030007c002c003ae8feb902558032407db82f06c1c18ca8bd0f4779
2014-05-26 11:15:36,952[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RA_EAP_FAST_wifi" - 229:305:00-90-7a-0c-34-a5
2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure
2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client hello C
2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
2014-05-26 11:15:36,955[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
2014-05-26 11:15:36,956[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
2014-05-26 11:15:36,956[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 00907a0c34a5
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 h=77515033 c=R00380708-57-5382f828] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 h=77515035 c=R00380708-57-5382f828] INFO Core.PETaskRoleMapping - Roles:
2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515038 c=R00380708-57-5382f828] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515043 c=R00380708-57-5382f828] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515044 c=R00380708-57-5382f828] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515042 c=R00380708-57-5382f828] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515042 c=R00380708-57-5382f828] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515040 c=R00380708-57-5382f828] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
2014-05-26 11:15:36,962[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
2014-05-26 11:15:36,962[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515046 c=R00380708-57-5382f828] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515046 c=R00380708-57-5382f828] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515045 c=R00380708-57-5382f828] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515033 c=R00380708-57-5382f828] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

TLS Alert write:fatal:handshake failure

 

 

  • might the error occuring because pac file was generated on cisco ACS?
  • I changed the authentication from eap-fast to peap
  • I also exported the CPPM  server certificate and uploaded  it to the phone getting same error

RADIUS

EAP-PEAP: fatal alert by client - unknown_ca

 


anyone can advise?

Me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

Re: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

The very last line tells what is wrong (from the Alert tab):

 

RADIUS: EAP-PEAP: fatal alert by client - unknown_ca

 

This means that your client is configured to connect to the 802.1x SSID, and is configured to validate the server certificate. Although the server certificate on your RADIUS is not trusted by your client configuration.

 

In the Windows supplicant, this means that 'Validate Server Certificate' is switched on (1), and the server name (2) does NOT match, or the selected CA (3) does NOT match:

 

validate123.png

 

You probably use a different 802.1x supplicant, as you use PAC files. Similar configuration should be there.

 

So check the settings for your client to validate the server certificate. IF you require the same client configuration as you use on your ACS, you may need to export the RADIUS certificate from ACS and import it into ClearPass as the RADIUS certificate.

 

In recent ClearPass versions, you can install separate certificates for RADIUS and the HTTPS web server; make sure that you installed the correct certificate for RADIUS in your case.

 

Herman

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

Re: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

I sent your post to my client - i hope it will give him a clue ( He using Avaya 6140 )
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Occasional Contributor II

Re: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

Thanks alot for your reply

it works fine with me 

I added network profile on windows machine and removed Validate server certificate 

or you had to distribute the CPPM Radius Certificate via CA Domain  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: