Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Finding clients using TLS 1.0 and 1.1

Jump to Best Answer
This thread has been viewed 23 times
  • 1.  Finding clients using TLS 1.0 and 1.1

    Posted May 07, 2021 04:42 AM
    Hi

    One of my customers have communicated that they will ban the usage of TLS 1.0 and TLS 1.1 on all internal systems during this autumn.
    With Wireshark I have identified that some clients still use TLS 1.0. The devices I have identified are for example IP phones and printers.
    This customer only have managed devices authenticating to ClearPass with EAP-TLS. Majority of clients are Windows 10 using EAP-TLS and they are utilizing TLS 1.2.

    But as the customer have multiple ClearPass clusters on several continents this way of find if clients still use old versions of TLS will not be feasible.

    Is it possible to create a report in Insight with these clients or any other way filter out the clients based on information available in ClearPass?

    If it's not possible to get the information directly from ClearPass, any other suggestions on how to find these clients?

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP
    Aranya AB
    ------------------------------


  • 2.  RE: Finding clients using TLS 1.0 and 1.1

    Posted May 10, 2021 05:09 AM
    I believe this information is currently not exposed within ClearPass. It is captured in the /var/log/httpd/ssl_access_log:

    172.16.137.1 - - [07/May/2021:13:01:07 +0100] "POST /tips/dwr/call/plaincall/dashboard.filterTableOnServerWithQuery.dwr HTTP/1.1" 200 50023 "https://cppm.hpearubademo.com/tips/tipsContent.action" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 71625µs
    172.16.137.1 - - [07/May/2021:13:01:07 +0100] "POST /tips/dwr/call/plaincall/login.getServerDate.dwr HTTP/1.1" 200 250 "https://cppm.hpearubademo.com/tips/tipsContent.action" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0" TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 2839µs

    However, this file can't even be accessed via a "Collect Logs".

    Unless someone knows otherwise you will have to work with TAC...




    ------------------------------
    Derin Mellor
    ------------------------------



  • 3.  RE: Finding clients using TLS 1.0 and 1.1

    Posted May 10, 2021 05:17 AM
    Thank you for the answer

    In that case I have to find another way to verify that the clients are using correct TLS version.
    Maybe we can get the logfile with the help of TAC as a final check.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP
    Aranya AB
    ------------------------------



  • 4.  RE: Finding clients using TLS 1.0 and 1.1

    Posted May 10, 2021 05:57 AM
    Correction: I answer this based on the client doing HTTPS web login.
    Regarding 802.1X TLS authentication: This is not exposed in normal ClearPass. In PolicyManager if you enable RADIUS DEBUG can see the TLS version in the AccessTracker's Event Log file. For what you want to do this is not a practical solution. If you Collect Logs with the "Logs from all Policy Manager services" this will have the TLS information:

    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: <<< TLS 1.2 Handshake [length 0097], ClientHello
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 read client hello A
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.2 Handshake [length 0034], ServerHello
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write server hello A
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.2 Handshake [length 0f85], Certificate
    2021-05-06 14:52:28,169 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write certificate A
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.2 Handshake [length 014d], ServerKeyExchange
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write key exchange A
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - Ignoring cbtls_msg call with pseudo content type 256, version 0
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.2 Handshake [length 0519], CertificateRequest
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 write certificate request A
    2021-05-06 14:52:28,173 [Th 17 Req 20822 SessId R0000162a-01-6093f49c] DEBUG RadiusServer.Radius - TLS_accept: SSLv3 flush data

    This will export the current log file which may not be that long. I'm not sure what causes this to restarted?
    Irrespective, you would need a script to parse this file extract these TLS details and correlate this SessId to identify the source device. Certainly possible...

    ------------------------------
    Derin Mellor
    ------------------------------



  • 5.  RE: Finding clients using TLS 1.0 and 1.1

    Posted May 10, 2021 07:13 AM
    Thank you for the clarification.

    I agree that this is not a way to go to find any clients using TLS 1.0 or 1.1.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP
    Aranya AB
    ------------------------------



  • 6.  RE: Finding clients using TLS 1.0 and 1.1

    EMPLOYEE
    Posted May 10, 2021 10:09 AM
    You can block TLS 1.0 and or TLS 1.1:

    Then check if you have clients failing authentication; but I agree that may be the hard way but in the end, it is what you want to implement. Note that Windows 7 is reported not to support TLS 1.2, so if you still have those, it is riskier to enable the cipher limitations.

    Having a feature that would allow older ciphers, but warn would be a nice option. You could ask your local Aruba Partner or SE if such a future is already requested, and have it added to the Innovation Zone if it isn't.

    Putting the RADIUS service in DEBUG temporarily, and checking the radius.log files as Derin suggests would be an option to me.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Finding clients using TLS 1.0 and 1.1

    Posted May 10, 2021 11:10 AM
    Thank you Herman

    All Windows 7 should be long gone, so they should not be an issue. I think the method to disable TLS 1.0 and 1.1 to see if any clients run into issues will be out of scope for this company. Too many locations and critical business over phones etc.

    I have got information that we may have a tool to find the clients outside of ClearPass, so I think that will be the primary option.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP
    Aranya AB
    ------------------------------



  • 8.  RE: Finding clients using TLS 1.0 and 1.1
    Best Answer

    Posted May 10, 2021 12:03 PM
    If you were to write a script to process this the challenge is extracting the associated device details. I feel the best way to do this would be to use the PostGreSQL interrogating the tipsLogsDb using the script along the lines:
    SELECT timestamp, id, calling_station_id, framed_ip_address
    FROM tips_radius_accounting_log
    WHERE id='%{session_id}' AND timestamp>='%{timestamp}'
       AND timestamp<'%{timestamp}+5'
    I noticed that the timestamp on this was a few seconds behind what is reported in the log file. I've assumed 5s is sufficient? Irrespective this would extract this specific session.

    However, if the session details have been archived off you would have to use the Insight database:
    SELECT start_time, session_id, calling_station_id, framed_ip, username
    FROM radius_acct
    WHERE session_id @> ARRAY['R0000162a-01-6093f49c']
    AND start_time BETWEEN '2021-05-06 14:52:28' AND '2021-05-06 14:52:33'



    ------------------------------
    Derin Mellor
    ------------------------------