Security

last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TLS authentication issue : EAP-TLS warning alert by client - close_notify

Jump to Best Answer
  • 1.  TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Feb 18, 2014 02:31 PM

    After the iOS device successfully passes the onboarding process is not able to authenticate .

     

    I am able to authenticate with no issues Win7 and Android devices

     

    2014-02-18 14_17_54-ClearPass Policy Manager - Aruba Networks.png

     

    Cert issue?



  • 2.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify
    Best Answer

    Posted Feb 18, 2014 03:02 PM

    Victor,

     

    Based on the error the client isnt trusting either the Root CA, Intermediate or server cert. 

     

    1. what version of CPPM?

    2. did you combine the three when you added them into CPPM

    3. You might need to change the network settings from auto to Manual on the trust.

     

    trust.png



  • 3.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Feb 18, 2014 03:37 PM

     

     

     

    Thanks Troy,

     

    1. what version of CPPM? 

    6.2.5.60869 

    2. did you combine the three when you added them into CPPM

    I did

    3. You might need to change the network settings from auto to Manual on the trust.

    Just tried that but it didnt work maybe I am missing something else

     

     



  • 4.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify
    Best Answer

    Posted Feb 18, 2014 03:03 PM

    Had the same problem with IOS7 clients only. Turned out to be a trust issue.

     

    "My issue turned out to be a trust issue.

     

    Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

    I had selected to automatically configure trust settings.

    Even though the cppm ssl certificate included the entire chain this wasn't working properly.

     

    The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

     



  • 5.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Feb 18, 2014 03:38 PM

    Thanks koenv,

     

    Sorry don't understand this part : 

    "Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

     



  • 6.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Feb 18, 2014 04:03 PM

     

    Im golden now.

     

    I had to tweeked the different certs.

     

    Thank you Guys



  • 7.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jul 29, 2014 03:01 PM
      |   view attached

    Awesome this solved the issue for me on ver 6.3.1.4 with a godaddy cert which contained two intermediate CA's in the trust chain.  

     

    Chopped up the certs individually, uploaded as trusted cert, and selected manually in network settings as shown below.

     

    Bam.  Thank you!

     

    Capture3.JPG



  • 8.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 11:09 AM

    Hello, 

    I have the exact same issue in a lab and a customer environment running CP 6.5.5.78974.

    All devices can successfully onboard (windows, android, apple) but an iPhone cannot connect to the secure network. I get the alredy mentioned alert.clearpass_TLS_session_error.JPG

    I alredy tried automatic and manual trust settings without success.

    Looking at the iphone certificate trust list everything looks fine.

     

    Can anyone help?

     

    Thanks in advance.

     

    Jens



  • 9.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 11:11 AM
    What is the root CA for your radius cert? 

    Sent from Nine


  • 10.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 11:22 AM

    The root CA is private Microsoft CA.

     

     



  • 11.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 11:44 AM
    Is the cert 2048-bit? 

    Sent from Nine


  • 12.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 11:59 AM

    Yes, the root CA cert as well as the clearpass cert use 2048 bit keys.

     

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                18:00:00:00:83:63:2a:5b:f5:5f:ae:0a:b3:00:01:00:00:00:83
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
            Validity
                Not Before: Jan 30 15:22:44 2016 GMT
                Not After : Jan 29 15:22:44 2018 GMT
            Subject: C=DE, ST=LS, L=Hannover, O=Hewlett Packard Enterprise, OU=HPE Aruba, CN=cppm01
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:c7:e8:4f:4c:ec:46:bc:52:50:b3:b3:cc:94:f9:
                        cc:c6:ff:92:fa:3e:40:f7:9c:55:06:b0:ea:9e:ed:
                        46:f4:51:c8:bf:54:71:a9:e1:a7:a3:cf:de:d9:a6:
                        f5:9f:ab:e4:1e:0b:66:36:ff:65:61:6a:7f:2a:fa:
                        7d:9b:f0:37:d9:27:73:ba:16:d9:a4:29:cb:17:c8:
                        0e:50:6b:ff:1e:f3:6f:35:37:2c:3f:88:dd:8e:57:
                        29:e0:cf:5f:4c:f0:6b:35:c5:78:a9:63:14:8a:63:
                        80:ee:6d:f1:33:03:56:62:b0:11:f9:45:72:c9:c8:
                        67:84:03:27:83:3b:3a:2d:d4:c8:7f:df:8a:d1:96:
                        a0:e6:11:34:69:9a:a2:f9:70:6e:b6:2a:77:b4:a6:
                        6d:13:e0:fc:db:e0:51:1d:e0:ee:bf:28:6c:bc:bb:
                        8c:c8:1f:9e:8f:cc:34:01:ee:2c:97:0c:5f:d8:20:
                        c3:98:b0:cd:ce:9a:4a:13:79:47:b3:ab:6f:30:06:
                        6e:50:92:08:83:6f:fe:2d:81:62:e0:2a:af:ad:23:
                        9c:5f:fa:39:58:5f:74:f6:e8:df:9e:13:24:9d:1b:
                        58:69:79:3f:a1:ea:ac:65:9f:d1:b5:5e:8c:b9:98:
                        ff:4c:dc:93:11:34:54:2d:ec:32:6e:13:ae:71:38:
                        34:c3
                    Exponent: 65537 (0x10001)
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                65:73:8e:08:85:cc:03:a6:42:bb:5e:96:5d:79:ec:d5
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
            Validity
                Not Before: Jan 30 15:14:41 2016 GMT
                Not After : Jan 30 15:24:41 2036 GMT
            Subject: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:8c:4a:be:8e:e4:2c:de:2e:91:db:e6:ff:12:1f:
                        df:05:72:d5:8b:75:3e:ba:57:ed:ef:0e:39:be:e9:
                        51:b5:10:6c:90:de:62:c0:3c:1f:ac:8e:ac:23:f5:
                        e0:52:c6:ef:78:40:1b:8e:37:8d:12:8f:88:bf:66:
                        4d:ed:75:56:5d:a4:63:1a:d2:f8:9c:bf:0a:d4:fa:
                        40:8c:03:4d:2d:af:ce:27:bb:72:c1:56:b5:53:3d:
                        5c:44:03:95:5c:9e:47:d2:6a:13:2f:e6:b8:70:f2:
                        38:42:d9:71:76:9d:e2:28:19:06:ad:c6:ae:c8:ca:
                        0f:52:19:ac:d1:67:de:7a:c4:c5:a3:e9:5c:35:c3:
                        da:45:a8:56:3f:ea:a3:5e:ae:1a:d0:e4:65:4f:bb:
                        c2:3f:ec:64:a7:7a:0e:bb:c9:56:d7:ed:57:56:a4:
                        5c:3a:0e:02:ac:2d:ed:96:aa:ff:4b:e1:63:1f:b1:
                        d3:78:b9:7b:80:f3:ec:2a:9d:aa:eb:cb:38:60:ed:
                        c9:24:b0:62:e9:a7:0f:51:07:d0:6d:3f:f9:00:13:
                        cf:2a:9b:17:34:c5:46:b9:2f:22:fd:ea:07:99:77:
                        38:c4:cc:b6:89:11:f9:6e:d6:1d:8a:9a:3b:77:4b:
                        de:29:39:18:9d:06:4d:26:45:d5:9e:07:e3:a8:b0:
                        b7:33
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: 
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 Basic Constraints: critical
                    CA:TRUE


  • 13.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 12:05 PM
    Do you see both the root and intermediate in the network config profile on the device? 

    Sent from Nine


  • 14.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify

    Posted Jan 30, 2016 12:14 PM

    Yes but there is no intermediate cert bedause the clearpass RADIUS cert is direclty issued by the root CA (its a test environment in this case).

    The root CA cert as well as the clearpass RADIUS cert are installed and listed in the network config profile. That's why it looks strange to my. 

    I also tryed the manual trust listbut the behaviour is the same.

     



  • 15.  RE: TLS authentication issue : EAP-TLS warning alert by client - close_notify
    Best Answer

    Posted Feb 01, 2016 04:57 PM

    I have found the root cause for the failure. The apple devices (I believe since iOS 8) seems to require the RADIUS server explicitly to be added to the "Trusted Server Names" list otherwise the client rejects the server certificate. (Why couldn't Clearpass just add the CN and subject alternate name (DNS)  from the RADIUS server certificate automatically?)

    I assumed that the client would check the common name (CN) but instead I had to add the subject alternat name that has been used in the RADIUS server certificate (DNS:clearpass.networking.hpe.demo). 

    clearpass_onboard_trust_settings.JPG

    Automatically configured trusted server list did not work for some reason.

    The "Configure Trust" setting could stay @ automatic. The OnBoard client installed all necessary certificates.

     

    Hope that helps.

     

    Regards,

     

    Jens