Security

 View Only
Expand all | Collapse all

EAP-TLS 1.3 Support CPPM

This thread has been viewed 62 times
  • 1.  EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 04:47 AM

    Hi!

    I'm wondering wich version of clearpass supports EAP-TLS 1.3.

    I'm having some issues with server2022 connecting to the network and suspect it's an issue with TLS1.3.



  • 2.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 09:20 AM

    You have a Windows Server 2022 performing 802.1X authentication to the network?  What is the use-case to authenticate servers?




  • 3.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 09:24 AM

    We have local file servers on our network sites on some locations. We run fully authenticated network, it works fine with windows 2019.




  • 4.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 09:23 AM

    pcap show it's running tls1.2 though. So probably not the issue. 

    Still interested on support for 1.3.

    Also anyone hade issues running eap-tls auth on a windows server 2022 client. If I disable verification of server certificate on the client it does work. I can leave verification of "trusted root certification atuhorities" on without any issues. As soon as I enable verification of server cert name it fails. 

    All our other clients works fine.




  • 5.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 09:41 AM

    Does that indeed match the FQDN of ClearPass?  Also note that in newer version of Windows 11 and Windows Server, that field is case sensitive.




  • 6.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 10:19 AM

    Yes it matches FQDN of clearpass, we use the same GPO for all our clients (win10, win2022, win2019). It matches case also.




  • 7.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 10:29 AM

    Any other new changes in cert / eap in windows 11 that could affect this that you know of ?




  • 8.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 10:30 AM

    Credential guard is a big one but that only impacts PEAP, not EAP-TLS




  • 9.  RE: EAP-TLS 1.3 Support CPPM

    Posted Feb 28, 2023 10:43 AM

    yeah, checked for that and it is not enabled.




  • 10.  RE: EAP-TLS 1.3 Support CPPM

    Posted Mar 01, 2023 02:38 PM

    As an FYI in regards to TLSv1.3 support in clearpass.

    https://innovate.arubanetworks.com/ideas/SEC-I-1922

    Move the ClearPass RADIUS engine to FreeRADIUS versions > 3.2.0 in order to support TLS 1.3 for EAP-PEAP authentication

    ClearPass' RADUS engine is based on FreeRADIUS. The version of FreeRADIUS ClearPass is running doesn't support TLS 1.3 for EAP-PEAP authentication. This idea is to move the verson of FreeRADIUS to a version greater than 3.2.0 which supports TLS1.3 for EAP-PEAP.

    Admin Response

    The spirit of this request is valid and already under way, the actual implementation requested is not possible. ClearPass RADIUS forked from FreeRADIUS long ago and is not compatible with any of the current code.

    The support for TLS v1.3 in ClearPass RADIUS is already underway to release for the system. We will close this request as the spirit is being followed, but the delivery mechanism vehicle is not viable.

    Walt