Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP-TLS Auth with CPPM Failing

This thread has been viewed 77 times

  • 1.  EAP-TLS Auth with CPPM Failing

    MVP
    Posted Feb 21, 2019 10:41 AM

    Hi all,

     

    Having some trouble getting EAP-TLS working properly. We have never used it in the past, always EAP-PEAP. I modified our 802.1X service to allow [EAP-TLS] and the policy looks to be working properly. However, the requests are still failing due to the following errors in the logs:

     

    [Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
    2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
    2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
    2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

     

    Any suggestions on what I can look at?

     

    I have added the certs from the domain that are used on the device into the trust list in CPPM and added the RADIUS cert onto the device to trust our CPPM server as well. Tried disabling TLS 1.2 but did not make a difference. We are still support TLS 1.0 and 1.1 as well in cluster-wide parameters.

     

    Not sure what else could be causing it not to complete the SSL connection.



  • 2.  RE: EAP-TLS Auth with CPPM Failing

    EMPLOYEE
    Posted Feb 21, 2019 10:45 AM
    No client cert is being presented by the client.


  • 3.  RE: EAP-TLS Auth with CPPM Failing

    MVP
    Posted Feb 21, 2019 10:59 AM

    So we're pushing the configuration through Microsoft Intune, I know this isn't Microsoft's forum, but any recommendations on how to have it do that?



  • 4.  RE: EAP-TLS Auth with CPPM Failing
    Best Answer

    MVP
    Posted Mar 14, 2019 02:20 PM

    I was able to finally get this resolved and wanted to share my findings - 

     

    We ended up getting a cert issued by our internal enterprise CA and added that as a Service Certificate and applied it to a new service for testing. On the Microsoft Intune side, the WiFi configuration required all of the names on the certificate including CN and ALL SANS, which apparently sounds like an iOS requirement. We also need to have the trusted root certificate from the enterprise CA. 

     

    Now the EAP-TLS auths are successful.



  • 5.  RE: EAP-TLS Auth with CPPM Failing

    Posted Apr 02, 2021 05:00 PM
    MHaring,
    I am working with my DE Team for Macbook JAMF profiles to push EAP-TLS to my org and we're sitting here grasping at straws...  Stumbled across this and what do you know, the SANS were required even though JAMF only specifies Cert CN.  Thanks a bunch!!

    Regards
    -Ian

    ------------------------------
    Ian Fritchy
    ------------------------------

    Original Message


  • 6.  RE: EAP-TLS Auth with CPPM Failing

    MVP EXPERT
    Posted Apr 05, 2021 10:24 AM
    Your EAP server certificate should only have a single SAN that matches the CN.

    ------------------------------
    Tim C
    ------------------------------

    Original Message