Controllerless Networks

We're seeing TLS Erros on our Guest ROLE with Android devices that have  been recently upgraded. We are runing EAP-PEAP with no phase2 for these BYOD devices. It was working prior to Android devices recieving thier updates. What's odd is in CPPM Access tracker the logs show a TLS error and it's EAP-PEAP. My understanding is there's not Cert passing right? If I add to the role EAP-FAST with MSCHAPv2 and select ROLE 1 on the Android device it looks like it authenticates but no role effectively passes from CPPM to teh controller but now address is offered to the device so it cycles through 802.1x again on the client. 

I'm wondering if anyone else is seeing this issue as well and what you've done to resolve it or if anyone would be kind enough to point me in the right direction to resolution. 

What version of CPPM do you have?

WE're on 6.2.6.62196.

The thing is, it was working fine in our environment with BYOD's and then I've had a tablet upgrade from KitKat to Lollipop and it broke EAP-PEAP and others have had the Nexus that went from Lollipop to Marshmallow. 

Super odd becasue we changed nothing. Do you think it's a version issue? Do you know of any release notes that explain the error? Here's what Error I get: 

2015-10-23 09:44:08,503 Th 15 Req 2647904 SessId R0004cf83-02-562a63d8 ERROR RadiusServer.Radius - TLS Alert read:fatal:handshake failure
2015-10-23 09:44:08,503 Th 15 Req 2647904 SessId R0004cf83-02-562a63d8 ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2015-10-23 09:44:08,503 Th 15 Req 2647904 SessId R0004cf83-02-562a63d8 ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

PS we're using our own Certificate with our own root authority.

Android Marshmallow (6.0) now only supports TLS 1.2

https://code.google.com/p/android/issues/detail?id=188867&q=label%3AReportedBy-User&colspec=ID%20Type%20Status%20Owner%20Summary%20Stars

Clearpass 6.5.2 supports TLS 1.2 starting in 6.5.2  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-EAP-TLS-1-2-support/m-p/228350/highlight/true#M18721

You have to upgrade Clearpass to support marshmallow....

Okay, thank you that solve's our Marshmallow issue and will look to that. 

The Lollipop issue is sparse however. I've a Galaxy S6 Edge on the network that works just fine but then I've a Galaxay Note Pro 12.2 that after upgrading to the latest code from Vzn is having the TLS issue I posted. is it possible that the Note Pro got it's TLS upgraded to version 1.2 as well? 

Thank you for the prompt responses!

I honestly do not know.  If it is an older device, chances are there is no value in switching to TLS 1.2 before marshmallow.

P.S. the Galaxy Note Pro 12.2 version was upgraded to P905VVRUBOH1. for those who would like to know. I've requests into Verizon to make sure that this version did not get a TLS 1.2 UG either. 

Hi,

I am in the same version 6.2.6.62196  of you and having issues with android 5.1.1 devices not getting pass by 802.1x

I think i also need to upgrade to 6.5.2. Do you upgrade yours?

I am a little preocupied because of the requirements.

Hope you can help

Thanks

Just some clarification to assist with your troubleshooting:

- You always have to have a phase 2 authentication method with PEAP. Commonly it's EAP-MSCHAPv2 but EAP-GTC can also be used.

- Be careful with just changing authentication methods like that (PEAP to EAP-FAST). Each authentication method has quirks and considerations that have to be carefully addressed/planned for.

Can you please post the error message from Access Tracker?

Are you using a publicly or privately/self-signed RADIUS server certificate?