Correction: I answer this based on the client doing HTTPS web login.
Regarding 802.1X TLS authentication: This is not exposed in normal ClearPass. In PolicyManager if you enable RADIUS DEBUG can see the TLS version in the AccessTracker's Event Log file. For what you want to do this is not a practical solution. If you Collect Logs with the "Logs from all Policy Manager services" this will have the TLS information:
2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: <<<
TLS 1.2 Handshake [length 0097], ClientHello2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 read client hello A
2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>>
TLS 1.2 Handshake [length 0034], ServerHello2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write server hello A
2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>>
TLS 1.2 Handshake [length 0f85], Certificate2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write certificate A
2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>>
TLS 1.2 Handshake [length 014d], ServerKeyExchange2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write key exchange A
2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>>
TLS 1.2 Handshake [length 0519], CertificateRequest2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write certificate request A
2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 flush data
This will export the current log file which may not be that long. I'm not sure what causes this to restarted?
Irrespective, you would need a script to parse this file extract these TLS details and correlate this SessId to identify the source device. Certainly possible...
------------------------------
Derin Mellor
------------------------------
Original Message:
Sent: May 10, 2021 05:17 AM
From: Jonas Hammarback
Subject: Finding clients using TLS 1.0 and 1.1
Thank you for the answer
In that case I have to find another way to verify that the clients are using correct TLS version.
Maybe we can get the logfile with the help of TAC as a final check.
------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP
Aranya AB
Original Message:
Sent: May 10, 2021 05:08 AM
From: Derin Mellor
Subject: Finding clients using TLS 1.0 and 1.1
I believe this information is currently not exposed within ClearPass. It is captured in the /var/log/httpd/ssl_access_log:
172.16.137.1 - - [07/May/2021:13:01:07 +0100] "POST /tips/dwr/call/plaincall/dashboard.filterTableOnServerWithQuery.dwr HTTP/1.1" 200 50023 "https://cppm.hpearubademo.com/tips/tipsContent.action" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 71625µs
172.16.137.1 - - [07/May/2021:13:01:07 +0100] "POST /tips/dwr/call/plaincall/login.getServerDate.dwr HTTP/1.1" 200 250 "https://cppm.hpearubademo.com/tips/tipsContent.action" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 2839µs
However, this file can't even be accessed via a "Collect Logs".
Unless someone knows otherwise you will have to work with TAC...
------------------------------
Derin Mellor
Original Message:
Sent: May 07, 2021 04:42 AM
From: Jonas Hammarback
Subject: Finding clients using TLS 1.0 and 1.1
Hi
One of my customers have communicated that they will ban the usage of TLS 1.0 and TLS 1.1 on all internal systems during this autumn.
With Wireshark I have identified that some clients still use TLS 1.0. The devices I have identified are for example IP phones and printers.
This customer only have managed devices authenticating to ClearPass with EAP-TLS. Majority of clients are Windows 10 using EAP-TLS and they are utilizing TLS 1.2.
But as the customer have multiple ClearPass clusters on several continents this way of find if clients still use old versions of TLS will not be feasible.
Is it possible to create a report in Insight with these clients or any other way filter out the clients based on information available in ClearPass?
If it's not possible to get the information directly from ClearPass, any other suggestions on how to find these clients?
------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP
Aranya AB
------------------------------