Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clearpass : authentification failed, block cipher pad is wrong

  • 1.  Clearpass : authentification failed, block cipher pad is wrong

    Posted 22 days ago
    Hello,

    From time to time we have a failed 802.1x (authentication with locals users in clearpass)
    Authentication method : EAP-GTC

    Can you please identify the problem ?

    Here is the log in clearpass :

    2021-01-04 15:38:48,776 [Th 23154 Req 98134906 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read finished A
    2021-01-04 15:38:48,776 [Th 23154 Req 98134906 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read finished A
    2021-01-04 15:38:48,776 [Th 23154 Req 98134906 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 240:230:8c-27-8a-04-f2-46:AEEA7ADbABt6a9kFIjs44DE7GfnWN1beNauzxQ==
    2021-01-04 15:38:48,797 [Th 23160 Req 98134910 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Service Authentication 802.1X Globale" - 241:371:8c-27-8a-04-f2-46
    2021-01-04 15:38:48,797 [Th 23160 Req 98134910 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_eap_peap: Session established.
    2021-01-04 15:38:48,797 [Th 23160 Req 98134910 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_eap_peap: Skipping Phase2 because of session resumption & fast reconnect.
    2021-01-04 15:38:48,797 [Th 23160 Req 98134910 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 241:125:8c-27-8a-04-f2-46:AOoACAAwAIp+a9kFyqvpPugxTUiov/hjz+tqEQ==
    2021-01-04 15:39:19,473 [Th 23152 Req 98135839 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "Service Authentication 802.1X Globale" - 26:437:8c-27-8a-04-f2-46
    2021-01-04 15:39:19,473 [Th 23152 Req 98135839 SessId R01490e93-03-5ff32878] ERROR RadiusServer.Radius - TLS Alert write:fatal:decryption failed
    2021-01-04 15:39:19,473 [Th 23152 Req 98135839 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_eap_tls: SSL_read Error
    2021-01-04 15:39:19,473 [Th 23152 Req 98135839 SessId R01490e93-03-5ff32878] ERROR RadiusServer.Radius - rlm_eap_tls: rlm_eap_tls: failed in a system call (-1), TLS session fails. error:1408F081:SSL routines:SSL3_GET_RECORD:block cipher pad is wrong
    2021-01-04 15:39:19,473 [Th 23152 Req 98135839 SessId R01490e93-03-5ff32878] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2021-01-04 15:39:19,477 [RequestHandler-1-0x7f08c93e9700 r=psauto-1595800274-43146222 h=655 r=R01490e93-03-5ff32878] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 8c278a04f246

    Thank you,


  • 2.  RE: Clearpass : authentification failed, block cipher pad is wrong

    Posted 21 days ago
    Is this for all devices? The block cipher pad message indicates that unsupported crypto algorithms are tried, like very old and insecure.
    Could it be that you enabled FIPS mode on ClearPass?

    This message seems not too common, I would recommend you to open a TAC support case to get it investigated.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Clearpass : authentification failed, block cipher pad is wrong

    Posted 21 days ago
    Hello,
    It happens when the client roams several times.
    The client use EAP-GTC as innermethode.
    I think i will open a TAC support case
    Regards,

    ------------------------------
    brahim abdelouahab
    ------------------------------