I could not find a full confirmation on this question, but this link at least suggests that the full certificate chain should be compliant.
Also, it's quite logical as if you consider a certain key length for the end-entity (client) because smaller keys may be broken (now or in the near/far future), the same applies to your intermediates and root CA. It's even easier then to crack the root/intermediate, as that would make it trivial to create rogue certificates and break the chain of trust.
I've always used same or stronger algorithms and larger key sizes when going up in the certificate chain. Maybe by intuition at that time, but it makes sense.
If systems verify this, is a different question, but knowing CNSA a bit, it may (or should) be part of the evaluation process.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 11, 2024 11:29 AM
From: todd.friar
Subject: EAP-TLS 192-bit CNSA using ClearPass
Thank you Herman for the insight. To clarify the same client can authenticate using the same controller and ClearPass with a normal EAP-TLS service. Its only when trying EAP-TLS 192-bit it fails. Interesting info about MTU size, will definitely look further into that. As for the certificate the client cert is signed with the appropriate SHA384, ECC, etc. but the Sub CA and Root CA are not. They are standard SHA256RSA. I'm trying to get clarification if the entire chain needs to signed at SHA384. Thanks!
Original Message:
Sent: Apr 11, 2024 11:16 AM
From: Herman Robers
Subject: EAP-TLS 192-bit CNSA using ClearPass
The most common issue when implementing WPA3-Enterprise is that the key material in the certificate is not strong enough. Check this post for a reference.
However that is for clients that authenticate. If I read your description correct, it works with same client and same ClearPass on other wireless, but not with this Cisco controller?
One other issue with EAP-TLS and increasing key sizes (as required by WPA3), is that the EAP Packets while carrying the Client certificate become to big and exceed the MTU somewhere in the path between the AP and ClearPass. It may be that the client does respond to the access-challenge, but that is with the client certificate and that packet is lost somewhere in the path. That would be something to further investigate. If that is the case, either make sure all network components support jumbo frames (including the vSwitch when using VMWare to run ClearPass on), or switch to RadSec which in addition to proper security uses TCP and avoids the MTU issue in that way.
Hope this helps, or with this in mind you may share some additional relevant information about your deployment.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Apr 10, 2024 01:41 PM
From: todd.friar
Subject: EAP-TLS 192-bit CNSA using ClearPass
Hello Community, I'm looking for more information and insight about setting up EAP-TLS 192-bit CNSA auth using ClearPass. I can't find a lot of information on the nuances of successfully setting up 192-bit.
We have devices that need to be tested using this TLS auth type and we're using a Cisco C9800 controller with Cisco 9162 AP's authenticating to ClearPass. All our other EAP-TLS services are working correctly except this one. TLS certs are issued from a Microsoft enterprise CA and Sub CA. ClearPass RADIUS cert is issued from the same CA.
Access tracker shows the client not responding to the access-challenge.
Additional reading i found mention that the entire Root/Sub/Issued cert chain all need to be signed with a SHA384 sig algorithm, Key size ECC 384-bit, ECDSA_P384, etc? Currently we don't satisfy that requirement but can if needed.
I have a TAC case open for this but figured id ask if anyone has any useful information on this scenario.
Thank you, Todd