Security

 View Only
  • 1.  AP EAP-TLS using TPM certs authentication fail

    Posted Mar 30, 2024 12:11 AM

    Hi ALL,
    After upgrading the MC to 8.12.0 the AP started throwing :
    802.1X: EAP-TLS using TPM certs authentication fail

    Clearpass on the other hand :
    Client did not complete EAP transaction

    Is there something that i could check from the AP console and identify the source of the issue?



  • 2.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Mar 30, 2024 07:19 AM

    Hi

    EAP is handled between the client and ClearPass. The controller doesn't have an active role in that phase. Thus it's a bit strange if the problem are related to the update of the controller.

    Does this error affect all clients?

    One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version.

    Do you have a more specific error message?

    Good to know is that in some older TPM chips there is a big related to the PSS RSA algoritm introduced in TLS 1.3. TLS 1.3 is enabled from ClearPass 6.11, but the PSS RSA algorithm can be disabled under the Radius service settings if clients have this issue, or by disable the algorithm on the client side.

    I wrote a blog post about this issue:

    https://aranya.se/en/windows-clients-affected-by-problems-with-tpm-chip-after-clearpass-6-11/



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Mar 31, 2024 07:46 AM

    Yes the error relates to all AP clients ...

    Could you elaborate more on :

    "One option could be if the traffic is fragmented for some reason with 8.12 and not the earlier version"

    How i will check if the traffic is fragmented ?

    Is there something on the AP side that i could check from the console?




  • 4.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Mar 31, 2024 01:58 PM

    Hi

    I just realized i missunderstood you issue. You have the AP's performing 802.1x with the built in TPM certificate, correct?

    In ClearPass, verify that the AP certificate is trusted and also that you can see the certificate information in Access Tracker under the Input tab and section Computed attributes.

    I have not read the 8.12 release notes, are there any known issues mentioned with this version and 802.1x authentication with the TPM certificate. 

    Does other 802.1x authentication work as expected on the same switch?

    Can you share the logs both from the accesspoints, ClearPass and the switch?

    It could be a good idea to contact TAC for troubleshooting.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 01, 2024 04:13 AM
      |   view attached

    Hi ,

    Does other 802.1x authentication work as expected on the same switch?

    Yes WIndows 10/11 working just fine on the same switch!

    "Can you share the logs both from the accesspoints"

    Which logs are you after ?I can only see the bellow from the AP console :

    802.1X: EAP-TLS using TPM certs authentication failure or sapd does not get msg from wpa_supplicant
    802.1X: EAP-TLS using TPM certs authentication timeout/failure
    802.1X: EAP-TLS using TPM certs authentication timeout/failure
    802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
    802.1X: EAP-TLS using TPM certs authentication timeout/failure
    802.1X: EAP-TLS using TPM certs authentication timeout/failure
    802.1X: EAP-TLS using TPM certs authentication APdot1X timeout/failure bypass
    802.1X: EAP-TLS using TPM certs authentication timeout/failure

    Clearpass log will follow as attachement.

    I have opened a TAC but still could not point me to the correct direction.


    Attachment(s)

    txt
    c-pass.txt   18 KB 1 version


  • 6.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 01, 2024 06:52 AM

    I can just find one line with a TLS error in the ClearPass log, and it wasn't very specific.

    Try to enable Debug for both Radius and Policy sevices, and see if you can get more information in ClearPass.

    What version of ClearPass do you run?

    Have you tried to disable PSS RSA, under the Radius server settings? It's possible to disable from ClearPass 6.11.4 or .5. (I'm a bit unsure of the exact version the function was introduced.

    My hypothesishere is that the combination of certificates in TPM, 8.12 and maybe older access points with a TPM chip with the PSS RSA bug could be the issue.

    If that's not the case I don't have any more ideas at the moment.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 01, 2024 11:38 AM
      |   view attached

    ClearPass 6.11.8 

    I've tried to disable PSS RSA but did not resolve the issue.

    I'm attaching a debug log from clearpass for your reference!


    Attachment(s)

    txt
    eap-debug.txt   196 KB 1 version


  • 8.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 01, 2024 12:04 PM

    Hi

    In the first log you attached the request hit service MEDO-AP Wired Aruba Access Point DYN VLAN 802.1X, bit in the new log with DEBUG enabled, this service is not hit by the requests. It looks like it's another type of client in these requests as the service is {ArubaOS SW} Wired Desktop DYN VLAN 802.1X.

    Export a log when one of the access points tries to autenticate.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 9.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 02, 2024 06:21 AM
      |   view attached

    Here you Go!


    Attachment(s)

    txt
    MEDO-AP-DEBG.txt   130 KB 1 version


  • 10.  RE: AP EAP-TLS using TPM certs authentication fail

    Posted Apr 02, 2024 06:40 AM

    I can't find any other error message in the log than:

    TLS_accept:error in SSLv3/TLS write server done

    I'm sorry, but I don't have any more ideas!

    I hope TAC can help you find the issue, or someone else in Airheads



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------