Security

Reply
MVP Expert

EAP-TLS Auth with CPPM Failing

Hi all,

 

Having some trouble getting EAP-TLS working properly. We have never used it in the past, always EAP-PEAP. I modified our 802.1X service to allow [EAP-TLS] and the policy looks to be working properly. However, the requests are still failing due to the following errors in the logs:

 

[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
2019-02-21 09:57:28,022[Th 1340 Req 2212772 SessId R000c52f8-24-5c6ebc57] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

 

Any suggestions on what I can look at?

 

I have added the certs from the domain that are used on the device into the trust list in CPPM and added the RADIUS cert onto the device to trust our CPPM server as well. Tried disabling TLS 1.2 but did not make a difference. We are still support TLS 1.0 and 1.1 as well in cluster-wide parameters.

 

Not sure what else could be causing it not to complete the SSL connection.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: EAP-TLS Auth with CPPM Failing

No client cert is being presented by the client.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: EAP-TLS Auth with CPPM Failing

So we're pushing the configuration through Microsoft Intune, I know this isn't Microsoft's forum, but any recommendations on how to have it do that?



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
MVP Expert

Re: EAP-TLS Auth with CPPM Failing

I was able to finally get this resolved and wanted to share my findings - 

 

We ended up getting a cert issued by our internal enterprise CA and added that as a Service Certificate and applied it to a new service for testing. On the Microsoft Intune side, the WiFi configuration required all of the names on the certificate including CN and ALL SANS, which apparently sounds like an iOS requirement. We also need to have the trusted root certificate from the enterprise CA. 

 

Now the EAP-TLS auths are successful.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: