Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

eap-tls: Error in establishing TLS session

This thread has been viewed 52 times
  • 1.  eap-tls: Error in establishing TLS session

    Posted Aug 19, 2024 02:37 AM

    I have GPO that push out the machine certificate to the windows 11 machines.  We have a few machines that are not able to connect to the SSID and when I look at the clearpass logs I get this error below.  I compare the thumbprint and cert on the one that are working and the one that is not working.  Everything looks the same as to the certificate and running netsh wlan show profile command.  I ran the pcap and there is nothing that pop out telling me what the client was denied.  I am hoping someone can assist me or know the issue.

    Error Code:
    215
    Error Category:
    Authentication failure
    Error Message:
    TLS session error
     Alerts for this Request 
    RADIUS EAP-TLS: fatal alert by client - access_denied
    eap-tls: Error in establishing TLS session


  • 2.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 19, 2024 04:12 AM

    Hi

    In the certificates do you have the same format of the common name and SAN on the machines working and not working?

    In your AD source what is the query to find to computer account?

    Can you from the Access Tracker dialogue click the button Show Logs and paste the log



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 19, 2024 08:46 AM

    Hi Jonas

    I confirm SAN information is the same on both computer.   Not sure i understand what you mean by query but we use itune as compliance check.  here is the show logs:

    Login Status:
    REJECT
    Session Identifier:
    R0000100c-08-66c32b12
    Date and Time:
    Aug 19, 2024 12:23:00 BST
    End-Host Identifier:
    End-Host Profile:
    Computer / Windows / Windows 10.0.19042.1826
    End-Host Status:
    Known
    Username:
    host/US-SO-ALM-05924.pharms-services.com
    Access Device IP (Port):
    10.32.190.50
    Access Device Name:
    169.254.1.1
     
    System Posture Status:
    UNKNOWN (100)
     
    Policies Used -
    Service:
    Almac - EAP-TLS WLAN
    Authentication Method:
    EAP-TLS
    Authentication Source:
    Local:localhost
    Authorization Source:
    Almac-Microsoft-inTune
    Roles:
    B1, US-SO-ALM-05924
    Enforcement Profiles:
    ALMAC-B1
    Service Monitor Mode:
    Disabled
    Online Status:
    Not Available



  • 4.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 19, 2024 08:45 AM

    fatal alert by client - access_denied; suggests that the client has an issue with what ClearPass sends. So that may be the EAP certificate, or the SAN(s) not matching the RADIUS Server name that you configured for the client. It might also be that the client certificate is locked (password), or not present. Maybe you can find something in the Event Viewer on your client?

    Clock (time) is set correctly on all of your clients?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 19, 2024 08:50 AM

    Since this is a machine certificate, why would it work from majority of the machine and just only a few.  The time is correct and we made sure it is sync correctly.  I compare pretty much everything from the working machine and also import the same cert from the clearpass server but no luck.




  • 6.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 20, 2024 03:08 AM

    Hi.

    This looks like more AD problem than Clearpass problem. Check machine account in AD. Access Denied suggest that AD is not happy with the machine credentials.

    Did you check Windows event log for clues?

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 7.  RE: eap-tls: Error in establishing TLS session

    MVP
    Posted Aug 20, 2024 07:31 AM

    Assuming you are using ClearPass 6.11.x or newer, by default there is a new TLS encryoption enabled that does not work with come earlier TPM chips.

    IMO the best solution is to disable it for every server in the cluster.

    Administration -> Server configuration -> [CPPM node] -> Service parameters ->Radius server -> TLS -> Disable RSA-PSS signature Suite in EAP-TLS

    Set from FALSE to TRUE

    Save for each node in the cluster.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 8.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 21, 2024 08:16 AM

    Thanks bosborne.  After following your steps, that resolve the issue.  We have machines running TPM 2.0 subversion 1.16.  It looks like clearpass 6.11.8 doesnt support 1.16 subversion so most likely TPM needs to upgrade if possible.  




  • 9.  RE: eap-tls: Error in establishing TLS session

    MVP
    Posted Aug 21, 2024 08:21 AM

    That new encryption was added due to the underlying platform change, We have decided to just disable it. things are just as secure as with earlier CPPM versions.

    As a university, we do not have much control over what devices are used on our network.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 10.  RE: eap-tls: Error in establishing TLS session

    Posted Aug 23, 2024 05:05 PM

    Hi bosborne, 

    I'm not able to find this settings in my 6.11.1 cluster - do you mind sharing a screenshot? 

    thanks



    ------------------------------
    Cheers!
    MG
    ------------------------------



  • 11.  RE: eap-tls: Error in establishing TLS session

    MVP
    Posted Aug 23, 2024 05:40 PM

    You need to patch your cluster. That feature was introduced in Patch 4.

    Patch 9 is the latest but, if you use Insight, Patch 8 is recommended due to a bug i Patch 9.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------



  • 12.  RE: eap-tls: Error in establishing TLS session

    EMPLOYEE
    Posted Aug 26, 2024 10:36 AM

    The Insight bug exists in 6.11.0.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 13.  RE: eap-tls: Error in establishing TLS session

    MVP
    Posted Aug 26, 2024 10:41 AM

    OK, I had not heard that. I have disabled Insight because we do not use it.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------