Security

 View Only
last person joined: 22 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Zoll Medical AED Device TLS 1.2 Handshake

This thread has been viewed 38 times
  • 1.  Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 01:09 PM
    Hi All,

    Anyone has issue with Zoll AED 3 device authenticating against ClearPass ?

    Currently my settings are disabling support for TLS 1.0 and TLS 1.1 under Cluster-Wide Parameters.
    My ClearPass also has FIPS enabled.

    When the AED 3 device wants to authenticate, it straight away giving "handshake error unknown protocol" under Alerts @ Access Tracker.​

    When I capture and read using Wireshark, the Client Hello from the device are all the same as other devices. But, why can't it authenticate and seems ClearPass does not recognize the incoming packet from the AED 3 device.

    Zoll's principal also states already that the device supports TLS 1.2.

    What could be wrong with it ? Any idea ? What should I really check from the pcap to see if the device really 'complies' with what ClearPass expects ?

    Alerts error message:
    RADIUS TLS Handshake failed in SSL_read with error:140760FC:SSL
    routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    eap-tls: Error in establishing TLS session

    Case opened: 5366264084
    The TAC really irritating nowadays, I have already attached all the pcap files at the Case portal, but they never checked it ; keeps asking me what are the issues. You should really improve the SOP bruh ... !!


  • 2.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 02:29 PM
    That error is indeed indicative of a TLS mismatch.  Is the firmware updated on the Zoll device?  Is the Zoll device configured for TLS 1.2?  This really isn't a ClearPass problem but an endpoint problem.


  • 3.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 11:49 PM

    Hmm...

    Still does not answer who is not up to the TLS 1.2 standard, right ? ClearPass or Zoll.

    There should be at least one indicator / parameters in the packet capture that we can see to conclude "oh this device does not support TLS 1.2" sort of.
    This is what I am asking actually: what is the value that we should look for at the pcap ?

    Anyone has any idea ? 




  • 4.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 10, 2022 04:17 AM
    ClearPass can do TLS1.2 for sure; it looks to me that the client device doesn't support it.

    In the pcap capture you should have a look at the SSL/TLS negotiations; both ends should tell what protocols/ciphers they support and pick one that both do.

    The message SSL23_GET_CLIENT_HELLO even suggests that the client is trying to do SSLv3, not even TLS... packet capture may provide more clarity on that. Do you have the specifications of the Zoll Medical device? Also, is it a new device or one that was introduced like 10 years ago? Older devices, and embedded devices may have outdated protocol support.

    Do you have a specific reason to enable FIPS on ClearPass? FIPS mode is incompatible with many legacy devices as all 'weak algorithms' are disabled. One clear example is EAP-MD5 which is used by older IP Phones (and other devices). If there is no strict need for FIPS, don't enable it as you can also just not use those protocols/algorithms. Unsure if you can in FIPS mode temporarily enable TLS1.0/1.1 to see if that resolves the issue? If you can, I would do that.

    And would like to know as well the EAP type you are using (as asked by cjoseph)?

    Have you tried if the device connects properly on a WPA2-PSK network? That, combined with profiling or manual attributes may be the workaround if WPA2-Enterprise with modern standards is not supported by the device.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:56 PM
    I have tried enabling 1.1 and 1.0, it works with 1.0 enabled.
    But the customer won't accept 1.0 anymore as it has been deprecated in 2020, they said.

    So we would like to try as best as we can to see what is wrong here.


  • 6.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:58 PM
    Zoll specification is Zoll AED 3 device.
    Date of production around 5-6 years ago, I checked this one too, seeing from their device itself.


  • 7.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 11, 2022 09:12 AM
    The only thing to do is contact Zoll for a firmware update or replace the device.  There is nothing to do from a ClearPass prospective other than leave TLS 1.0 enabled.


  • 8.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 09, 2022 11:50 PM
    Zoll side has confirmed their firmware is the latest.

    About how they tell it is the latest, I do not know. It is just from what they said. I just have to trust them, right ?


  • 9.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 10, 2022 01:54 AM
    What EAP type are you using?

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 10.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 10, 2022 09:53 PM
    EAP-PEAP


  • 11.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    EMPLOYEE
    Posted Aug 11, 2022 09:19 AM
    Would try a WPA2-PSK network if your security team would allow it.  Very costly  medical devices typically have much older, rarely updated supplicants that do not get patched, so many are difficult to work with different flavors of EAP.  Since the wireless drivers are rarely updated, it also makes them more likely to break as standards are updated.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 12.  RE: Zoll Medical AED Device TLS 1.2 Handshake

    Posted Aug 12, 2022 02:02 AM
    Hello,

    If you want to switch to WPA2-PSK don't forget the MPSK feature which is very usefull in those cases.

    Kind regards

    Christian