Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Android EAP-TLS Client not sending Intermediate Certificate

This thread has been viewed 7 times

  • 1.  Android EAP-TLS Client not sending Intermediate Certificate

    Posted Nov 06, 2019 11:17 AM

    I'll preface this by saying I do not believe this to be an issue with ClearPass, but hoping someone has dealt with similar.

     

    We're introducing an intermediate certifcate to our client certificate chain and are unable to authentication against our EAP-TLS service after installing the new client certificate. I am of the opinion that we should not have to trust each intermediate certificate and that the client is responsible for providing a sufficient chain back to our trusted CA, but I can't seem to make the client send the intermediate certifcate along during the authentication. Here's a screenshot:

    Screen Shot 2019-11-06 at 11.08.11 AM.png

    Access tracker shows "EAP-TLS: fatal alert by server - unknown_ca" -- expected because we don't trust the intermediate.

     

    I'm sideloading PCKS#12 files for testing. I've tried including the intermediate (didn't work), including intermediate and root (didn't work).

     

    How do we force the Android to send its full chain?



  • 2.  RE: Android EAP-TLS Client not sending Intermediate Certificate

    EMPLOYEE
    Posted Nov 06, 2019 11:49 AM

    It should never be expected that a client send any part of the chain.



  • 3.  RE: Android EAP-TLS Client not sending Intermediate Certificate

    Posted Nov 06, 2019 12:46 PM

    Alright, humor me.

     

    If I'm expected to trust every issuer, rather than the trusted/offline/secure root CA, doesn't that break the "web of trust" that is the basis of TLS? It reduces our security posture by explicitely trusting a potentially less secure intermediate vs the root certificate and requires additional overhead of maintaining intermediate issuers vs a short list of trusted authorities.

     

    In HTTPS, for example, if I maintain a server that does not include the full certificate chain (up to, but not including the root), I would call that a misconfigured server (and so would many online TLS test). Why would it be different for the client certificate validation in mutual TLS?



  • 4.  RE: Android EAP-TLS Client not sending Intermediate Certificate

    EMPLOYEE
    Posted Nov 06, 2019 02:22 PM

    Not really. Just having the intermediate does not complete trust. You still need the root, so it doesn't change security posture in any way. Ideally, all client devices would send an intermediate, but technially the intermediate isn't required to authenticate with a client cert, so behavior will vary.

     

    Regarding HTTPS, not really a good comparison as client side identity is not commonly used. Intermediate is expected to be sent as part of a server identity. Server configuration is usually much more tightly controller than a client.



  • 5.  RE: Android EAP-TLS Client not sending Intermediate Certificate

    Posted Jul 13, 2020 09:39 AM

    Daniel - did you ever get a solution for this?  We are seeing the same thing - Android device is only sending 1 certificate (the user certificate from our enterprise CA) when using EAP-TLS for wifi authentication. However an iOS device that successfully connects sends all 3 certs (user cert, intermediate cert and root cert from our enterprise CA).



  • 6.  RE: Android EAP-TLS Client not sending Intermediate Certificate

    Posted Jul 13, 2020 12:10 PM

    Clients are not required to send the chain. Just add all certs in the chain to the CPPM trust list for EAP.