Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Radius - Timeouts, Reject and Accept for same user

  • 1.  CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 28, 2020 10:36 AM

    Hi ,

     

    I have been configuring ClearPass as radius server.  We have used our own CA and InTune to deploy certs to users.

     

    It works for both windows and mac however see TLS errors sometimes with the username being passed rather than username@domain.com - then it will try a second again later with username@domain.com and be succesful.  I have no idea why it is doing this or if there is some sort of retry logic enabled.  Below is a screenshot of what I mean all for the same user:

     

    Screenshot at May 28 15-29-20.png

     

    Logs show: 

     

    RADIUS	EAP-TLS: client certificate CN/SAN comparison failure
    EAP-TLS: fatal alert by server - internal_error
    TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    eap-tls: Error in establishing TLS session

     

    And the detailed logs show:

     

    2020-05-28 14:57:41,274	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - TLS Alert write:fatal:internal error
    2020-05-28 14:57:41,274	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] INFO RadiusServer.Radius - TLS_accept:error in error
    2020-05-28 14:57:41,275	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    2020-05-28 14:57:41,275	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

     

    Any help would be greatly appreicated.

     

    Thanks



  • 2.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 29, 2020 05:11 AM

    What do you have as authentication server(s) behind this service? The messages may suggest that (one of) the authentication/authorization servers are slow/not responding. As it works shortly after the availability may be intermittent.

     

    In general, if I see 'internal errors', I would work with Aruba support as based on just the available information it is unlikely to find a solution.



  • 3.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 29, 2020 05:18 AM

    Do you mean what are the authentication sources that are used?


    They are Microsoft Graph and Microsoft InTune depending on what is authentication however it pulls back the data for these it just seems like the certificate authentication is failing.

     

    I have two ClearPass servers in AWS publisher and subscriber.  Certain users seem to be fine and then others seem to have this strange issue.  

     



  • 4.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 29, 2020 05:37 AM

    What triggered me was the:

    EAP-TLS: client certificate CN/SAN comparison failure
    EAP-TLS: fatal alert by server - internal_error
    

     This indicates to me that the certificate in itself is fine, but the 'Authorisation' or validation to the authentication source did not work for some reason. Because it is intermittent, I suspect that the authentication servers are sometimes responding and not (or late) in other moments.

     

    You could replace your EAP-TLS authentication method by one that has disabled the authorization checkbox. It may then continue and explain what is more specifically failing. Be careful that if you disable authorization that there is no longer a check between the certificate and a corresponding account in AD (or whichever authentication source you used).