Hi Bruce
I agree with your statement that an option in the GUI to disable PSS RSA support would be good and I have filed a feature request in the Innovation zone: https://innovate.arubanetworks.com/ideas/SEC-I-1960
Please vote on the idea if you find it useful
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Apr 25, 2023 07:10 AM
From: bosborne
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10
From my research, the issue is with TPM 2.0 firmware from the various hardware manufacturers. It is therefore not a Microsoft implementation issue, but a manufacturer-specific firmware issue. This is not listed in the Release Notes as a Behavior change. Many users reading the Release Notes do not comb through all the issues entries.
I realize this support allows enhancing FIPS support. Is Aruba planning an option to not negotiate RSA PSS in non-FPS systems for improved compatibility? Most of the clients on our network are running Windows 10 and our testing has revealed these TLS compatibility issues. The majority of our clients are personally owned by students & staff so we have no control over firmware versions.
If we wish to maintain ClearPass support past the end of the year, we are forced to move to 6.11.x. In my personal opinion, we need a more compatible solution that currently offered. We have been a ClearPass customer since the early days of Aruba's purchase of Avenda. This is the first time, in my memory, where we do not see a viable path to maintain product support. In fact, our proof of concept was before Aruba rebranded the product.
To reiterate, the above statements are based on my personal opinions and experiences with this product.
Thank you again for highlight this issue that i missed in the Release Notes.
------------------------------
Bruce Osborne ACCP ACMP
Liberty University
The views expressed here are my personal views and not those of my employer
Original Message:
Sent: Apr 22, 2023 02:44 AM
From: mattAruba
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10
OpenSSL version used in 6.10 and earlier did not have support for RSA PSS forcing ClearPass to negotiate a different cipher suite and hence this issue is not seen in older versions. 6.11 with its updated openSSL module negotiates RSA PSS but fails due to the implementation bug on Microsoft side. So far it seems like only devices with TPM 2.0 revision 1.16 has this issue. If the device supports TPM upgrade, that is one way to fix the issue. However TPM update is not an option in all cases.
Work arounds are to disable RSA-PSS on windows client side or TPM update. If either these options doesn't work, TAC might be able to help disable TLS 1.2 from support shell.
Original Message:
Sent: Apr 21, 2023 03:58 AM
From: jonas.hammarback
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10
Hi
I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.
Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.
Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?
The error message seen in Access Tracker is:
Error Code:
|
215
|
Error Category:
|
Authentication failure
|
Error Message:
|
TLS session error
|
Alerts for this Request
RADIUS
|
EAP-TLS: fatal alert by server - decrypt_error TLS Handshake failed in SSL_read with error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid eap-tls: Error in establishing TLS session
|
|
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------