Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Zoll Medical AED Device TLS 1.2 Handshake

This thread has been viewed 67 times
  • 1.  Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 01:09 PM
    Hi All,

    Anyone has issue with Zoll AED 3 device authenticating against ClearPass ?

    Currently my settings are disabling support for TLS 1.0 and TLS 1.1 under Cluster-Wide Parameters.
    My ClearPass also has FIPS enabled.

    When the AED 3 device wants to authenticate, it straight away giving "handshake error unknown protocol" under Alerts @ Access Tracker.​

    When I capture and read using Wireshark, the Client Hello from the device are all the same as other devices. But, why can't it authenticate and seems ClearPass does not recognize the incoming packet from the AED 3 device.

    Zoll's principal also states already that the device supports TLS 1.2.

    What could be wrong with it ? Any idea ? What should I really check from the pcap to see if the device really 'complies' with what ClearPass expects ?

    Alerts error message:
    RADIUS TLS Handshake failed in SSL_read with error:140760FC:SSL
    routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    eap-tls: Error in establishing TLS session

    Case opened: 5366264084
    The TAC really irritating nowadays, I have already attached all the pcap files at the Case portal, but they never checked it ; keeps asking me what are the issues. You should really improve the SOP bruh ... !!


  • 2.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 02:29 PM
    That error is indeed indicative of a TLS mismatch.  Is the firmware updated on the Zoll device?  Is the Zoll device configured for TLS 1.2?  This really isn't a ClearPass problem but an endpoint problem.


  • 3.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 11:49 PM

    Hmm...

    Still does not answer who is not up to the TLS 1.2 standard, right ? ClearPass or Zoll.

    There should be at least one indicator / parameters in the packet capture that we can see to conclude "oh this device does not support TLS 1.2" sort of.
    This is what I am asking actually: what is the value that we should look for at the pcap ?

    Anyone has any idea ? 




  • 4.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 10, 2022 04:17 AM
    ClearPass can do TLS1.2 for sure; it looks to me that the client device doesn't support it.

    In the pcap capture you should have a look at the SSL/TLS negotiations; both ends should tell what protocols/ciphers they support and pick one that both do.

    The message SSL23_GET_CLIENT_HELLO even suggests that the client is trying to do SSLv3, not even TLS... packet capture may provide more clarity on that. Do you have the specifications of the Zoll Medical device? Also, is it a new device or one that was introduced like 10 years ago? Older devices, and embedded devices may have outdated protocol support.

    Do you have a specific reason to enable FIPS on ClearPass? FIPS mode is incompatible with many legacy devices as all 'weak algorithms' are disabled. One clear example is EAP-MD5 which is used by older IP Phones (and other devices). If there is no strict need for FIPS, don't enable it as you can also just not use those protocols/algorithms. Unsure if you can in FIPS mode temporarily enable TLS1.0/1.1 to see if that resolves the issue? If you can, I would do that.

    And would like to know as well the EAP type you are using (as asked by cjoseph)?

    Have you tried if the device connects properly on a WPA2-PSK network? That, combined with profiling or manual attributes may be the workaround if WPA2-Enterprise with modern standards is not supported by the device.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:56 PM
    I have tried enabling 1.1 and 1.0, it works with 1.0 enabled.
    But the customer won't accept 1.0 anymore as it has been deprecated in 2020, they said.

    So we would like to try as best as we can to see what is wrong here.


  • 6.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:58 PM
    Zoll specification is Zoll AED 3 device.
    Date of production around 5-6 years ago, I checked this one too, seeing from their device itself.


  • 7.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 11, 2022 09:12 AM
    The only thing to do is contact Zoll for a firmware update or replace the device.  There is nothing to do from a ClearPass prospective other than leave TLS 1.0 enabled.


  • 8.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 11:50 PM
    Zoll side has confirmed their firmware is the latest.

    About how they tell it is the latest, I do not know. It is just from what they said. I just have to trust them, right ?


  • 9.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 10, 2022 01:54 AM
    What EAP type are you using?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 10.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:53 PM
    EAP-PEAP


  • 11.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 11, 2022 09:19 AM
    Would try a WPA2-PSK network if your security team would allow it.  Very costly  medical devices typically have much older, rarely updated supplicants that do not get patched, so many are difficult to work with different flavors of EAP.  Since the wireless drivers are rarely updated, it also makes them more likely to break as standards are updated.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 12.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 12, 2022 02:02 AM
    Hello,

    If you want to switch to WPA2-PSK don't forget the MPSK feature which is very usefull in those cases.

    Kind regards

    Christian


  • 13.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Feb 16, 2023 06:27 AM

    Zoll US replied:

    "R&D have confirmed that the AED3 certainly does work in environments where TLS 1.0 is disabled. However, the test environments they have validated this in are Cisco and freeRadius. In this case the customer is using ClearPass, it might be the case that there is something in the configuration of ClearPass that is the issue here. They have suggested that the customer also check with ClearPass as there might be a known issue that causes this in some circumstances.

    For further investigation it would also be good to know the network setup and the make and model of the equipment being used."




  • 14.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Feb 17, 2023 05:29 PM

    Hi, I think you'll need to make a packet capture where you can find out where the tls negotiation is breaking and that may give you an idea where to go next.

    Wild guess: The AED3 and Clearpass don't have a common cipher in TLS1.1.


    Can you get the suppported ciphers by the AED3 device?

    I hope this helps



  • 15.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Jun 01, 2023 03:11 AM

    Hi Ulises,

    TAC in my case # 5366264084 was able to confirm if their device (Zoll) use non-TLS 1.2 to establish handshake, but the vendor insist they use TLS 1.2 to do handshake and our FIPS-enabled server  is causing the issue.

    So they ask us to test with FIPS-disabled environment, but then everyone in my team said I do not need to bother about this because FIPS has nothing to do with TLS 1.2 thingy.

    Is this true ?

    Any suggestion what we should suggest Zoll to check to their internal team ?

    PS: Our customer wants to enable FIPS-mode and disable TLS 1.0 and 1.1 due to their hardening standard.

    Opened another TAC case 5373841178 for this, and I ask here about this to get a rough answer first.




  • 16.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Jun 04, 2023 02:40 PM

    True but yes this really sounds like Zoll is the culprit here.