As an FYI in regards to TLSv1.3 support in clearpass.
https://innovate.arubanetworks.com/ideas/SEC-I-1922
Move the ClearPass RADIUS engine to FreeRADIUS versions > 3.2.0 in order to support TLS 1.3 for EAP-PEAP authentication
ClearPass' RADUS engine is based on FreeRADIUS. The version of FreeRADIUS ClearPass is running doesn't support TLS 1.3 for EAP-PEAP authentication. This idea is to move the verson of FreeRADIUS to a version greater than 3.2.0 which supports TLS1.3 for EAP-PEAP.
Admin Response
The spirit of this request is valid and already under way, the actual implementation requested is not possible. ClearPass RADIUS forked from FreeRADIUS long ago and is not compatible with any of the current code.
The support for TLS v1.3 in ClearPass RADIUS is already underway to release for the system. We will close this request as the spirit is being followed, but the delivery mechanism vehicle is not viable.
Walt
Original Message:
Sent: Feb 28, 2023 10:42 AM
From: Gonz
Subject: EAP-TLS 1.3 Support CPPM
yeah, checked for that and it is not enabled.
Original Message:
Sent: Feb 28, 2023 10:30 AM
From: ahollifield
Subject: EAP-TLS 1.3 Support CPPM
Credential guard is a big one but that only impacts PEAP, not EAP-TLS
Original Message:
Sent: Feb 28, 2023 10:29 AM
From: Gonz
Subject: EAP-TLS 1.3 Support CPPM
Any other new changes in cert / eap in windows 11 that could affect this that you know of ?
Original Message:
Sent: Feb 28, 2023 10:19 AM
From: Gonz
Subject: EAP-TLS 1.3 Support CPPM
Yes it matches FQDN of clearpass, we use the same GPO for all our clients (win10, win2022, win2019). It matches case also.
Original Message:
Sent: Feb 28, 2023 09:41 AM
From: ahollifield
Subject: EAP-TLS 1.3 Support CPPM
Does that indeed match the FQDN of ClearPass? Also note that in newer version of Windows 11 and Windows Server, that field is case sensitive.
Original Message:
Sent: Feb 28, 2023 09:22 AM
From: Gonz
Subject: EAP-TLS 1.3 Support CPPM
pcap show it's running tls1.2 though. So probably not the issue.
Still interested on support for 1.3.
Also anyone hade issues running eap-tls auth on a windows server 2022 client. If I disable verification of server certificate on the client it does work. I can leave verification of "trusted root certification atuhorities" on without any issues. As soon as I enable verification of server cert name it fails.
All our other clients works fine.
Original Message:
Sent: Feb 28, 2023 04:47 AM
From: Gonz
Subject: EAP-TLS 1.3 Support CPPM
Hi!
I'm wondering wich version of clearpass supports EAP-TLS 1.3.
I'm having some issues with server2022 connecting to the network and suspect it's an issue with TLS1.3.