Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Radius - Timeouts, Reject and Accept for same user

This thread has been viewed 5 times

  • 1.  CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 28, 2020 10:36 AM

    Hi ,

     

    I have been configuring ClearPass as radius server.  We have used our own CA and InTune to deploy certs to users.

     

    It works for both windows and mac however see TLS errors sometimes with the username being passed rather than username@domain.com - then it will try a second again later with username@domain.com and be succesful.  I have no idea why it is doing this or if there is some sort of retry logic enabled.  Below is a screenshot of what I mean all for the same user:

     

    Screenshot at May 28 15-29-20.png

     

    Logs show: 

     

    RADIUS	EAP-TLS: client certificate CN/SAN comparison failure
EAP-TLS: fatal alert by server - internal_error
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session

     

    And the detailed logs show:

     

    2020-05-28 14:57:41,274	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - TLS Alert write:fatal:internal error
2020-05-28 14:57:41,274	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] INFO RadiusServer.Radius - TLS_accept:error in error
2020-05-28 14:57:41,275	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
2020-05-28 14:57:41,275	[Th 23 Req 795 SessId R0000008f-01-5ecfc354] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

     

    Any help would be greatly appreicated.

     

    Thanks



  • 2.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    EMPLOYEE
    Posted May 29, 2020 05:11 AM

    What do you have as authentication server(s) behind this service? The messages may suggest that (one of) the authentication/authorization servers are slow/not responding. As it works shortly after the availability may be intermittent.

     

    In general, if I see 'internal errors', I would work with Aruba support as based on just the available information it is unlikely to find a solution.



  • 3.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    Posted May 29, 2020 05:18 AM

    Do you mean what are the authentication sources that are used?


    They are Microsoft Graph and Microsoft InTune depending on what is authentication however it pulls back the data for these it just seems like the certificate authentication is failing.

     

    I have two ClearPass servers in AWS publisher and subscriber.  Certain users seem to be fine and then others seem to have this strange issue.  

     



  • 4.  RE: CPPM Radius - Timeouts, Reject and Accept for same user

    EMPLOYEE
    Posted May 29, 2020 05:37 AM

    What triggered me was the: 

    EAP-TLS: client certificate CN/SAN comparison failure
EAP-TLS: fatal alert by server - internal_error

     This indicates to me that the certificate in itself is fine, but the 'Authorisation' or validation to the authentication source did not work for some reason. Because it is intermittent, I suspect that the authentication servers are sometimes responding and not (or late) in other moments.

     

    You could replace your EAP-TLS authentication method by one that has disabled the authorization checkbox. It may then continue and explain what is more specifically failing. Be careful that if you disable authorization that there is no longer a check between the certificate and a corresponding account in AD (or whichever authentication source you used).