Security

Reply
MVP

EAP Transaction Timeout and Trusted Certificates on Windows Clients

Hi Everyone,

 

So a little warning before I get started, this will probably be an incredibly long winded explanation!

 

We were expericing some strange issue at one of our sites with a new SSID we setup where our clients would timeout when trying to connect. After working with TAC, we discovered that it was a certificate related issue. We are using a GoDaddy certificate for the Radius communication. The Aruba tech noticed in the Access-Challenge phase that there was a certificate involved in the authentication process that was not trusted by our clients. See screenshot below.

2018-02-23_16h06_29.png

During the troubleshooting we were adding certificates all over the place until we were eventually able to get the clients to connect reliably. Unfortunately, we added a bunch of certificates that shouldn't have been added to the Windows trust stores because it created duplicate entries, which then lead to additional problems.

 

I have now figured out a way to clean up all of the duplicates (I was very nervous about deleting them once I had distributed them), and now I am trying to figure out in what trust store I should put this certificate?

I am guessing that I should be placing it under the "Trusted Root Certificate Authorities". It could also go under the "Intermediate Certification Authorities".

2018-02-23_16h22_37.png

I am curious if anyone knows in what certificate store I should be placing this certificate?

 

Cheers

Guru Elite

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

The only certificate that needs to be in your root store (and should be there by default) is the “Go Daddy Class 2 Certificate Authority”.

Is it there?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

It is there yes. And was there by default.

Unfortunately, during the testing with the Aruba tech we added some certs into places where it shouldn't have been (including the default one).

 

It seems though that having that certificate isn't enough to trust the connection. During our testing, as soon as we added the Go Dadddy Secure.. cert the connection started working.

 

I have started to notice as well that it is starting to affect our wired connections. We use ClearPass to protect both our wireless and wired ports.

 

This is why I am curious if we are really are required to distribute the Go Daddy Secure certificate to all of our clients?

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

Your RADIUS server should send its own server certificate and in addition, all intermediates that go through the root CA that should be in the client already. This is similar to HTTPS and in most case called a certificate chain.

 

You did not mention what RADIUS server you are using. ClearPass will require you to import all intermediate certs and the root (if it is not yet in the default store), and based on that automatically create the chain. Other servers may require you to manually add the intermediates.

 

In summary: root CA should be in your clients already, the server will send all intermediate certificates to the client with its own server certificate, which allows the client to construct the full chain of trust towards the root.

 

If your root CA is not known/trusted in the clients, you probably would like to change certificate authority to one that is trusted by your clients or indeed distribute the root certificate to each client (which can be a challenge).

 

What RADIUS server are you using? Did you configure it to send the chain of intermediates?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
MVP

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

Hi,

 

Sorry, I should have included this detail in the original post.

 

What radius server are you using?

  • We are using ClearPass version 6.6.8

Did you configure it to send the chain of intermediates?

  • I am not entirely sure of what you mean by this. I am assuming this is in regards to what certificates you upload into ClearPass?
  • I can say that I have importanted the entire certificate chain in the CPPM and set the radius certificate as our commercially signed CA.
    2018-02-26_08h20_55.png
  • I also imported the chain under Administration > Certificates > Trust List. All certificates in the chain are listed in the Trust List.

On our clients, by default the following two certificates are already there and trusted by default.

  • Go Daddy Class 2 Certification Authority
  • Go Daddy Root Certificate Authority - G2

In the wireless profile pushed by GP, I have set the policy to trust both of these certificates.

 

The only certificate in question now is the Go Daddy Secure Certificate Authority - G2. This certificate is not in any of the Windows certificate stores.

 

Given your explanation, it would appear that the clients only need to trust the root CA (Go Daddy Class 2 Certification Authority). 

 

While I was testing the the Aruba tech we did a test and disabled the "Verify the server's identity by validating the certificate". When we did this, the clients were able to connect successfully leading us down the path that there is a certificate issue.

 

When we added the Go Daddy Secure Certificate Authority - G2 to the trust store on the clients, the clients were then able to connect. Would this then indicate that the ClearPass itself is not correctly sending the intermediate CAs?

 

Based on the wireshark screenshot above though, it appears as though the server is sending the entire chain, but the client is not responding.

 

 

Any ideas as to where the issues may be?

Guru Elite

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

Please post the full chain here (just the public keys).

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

This is what the full chain looks like from the client side:

2018-02-23_16h22_37.png

This is the root Go Daddy CA

# openssl x509 -in godaddyroot.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Validity
            Not Before: Jun 29 17:06:20 2004 GMT
            Not After : Jun 29 17:06:20 2034 GMT
        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:9d:d7:ea:57:18:49:a1:5b:eb:d7:5f:48:86:
                    ea:be:dd:ff:e4:ef:67:1c:f4:65:68:b3:57:71:a0:
                    5e:77:bb:ed:9b:49:e9:70:80:3d:56:18:63:08:6f:
                    da:f2:cc:d0:3f:7f:02:54:22:54:10:d8:b2:81:d4:
                    c0:75:3d:4b:7f:c7:77:c3:3e:78:ab:1a:03:b5:20:
                    6b:2f:6a:2b:b1:c5:88:7e:c4:bb:1e:b0:c1:d8:45:
                    27:6f:aa:37:58:f7:87:26:d7:d8:2d:f6:a9:17:b7:
                    1f:72:36:4e:a6:17:3f:65:98:92:db:2a:6e:5d:a2:
                    fe:88:e0:0b:de:7f:e5:8d:15:e1:eb:cb:3a:d5:e2:
                    12:a2:13:2d:d8:8e:af:5f:12:3d:a0:08:05:08:b6:
                    5c:a5:65:38:04:45:99:1e:a3:60:60:74:c5:41:a5:
                    72:62:1b:62:c5:1f:6f:5f:1a:42:be:02:51:65:a8:
                    ae:23:18:6a:fc:78:03:a9:4d:7f:80:c3:fa:ab:5a:
                    fc:a1:40:a4:ca:19:16:fe:b2:c8:ef:5e:73:0d:ee:
                    77:bd:9a:f6:79:98:bc:b1:07:67:a2:15:0d:dd:a0:
                    58:c6:44:7b:0a:3e:62:28:5f:ba:41:07:53:58:cf:
                    11:7e:38:74:c5:f8:ff:b5:69:90:8f:84:74:ea:97:
                    1b:af
                Exponent: 3 (0x3)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
            X509v3 Authority Key Identifier:
                keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
                DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         32:4b:f3:b2:ca:3e:91:fc:12:c6:a1:07:8c:8e:77:a0:33:06:
         14:5c:90:1e:18:f7:08:a6:3d:0a:19:f9:87:80:11:6e:69:e4:
         96:17:30:ff:34:91:63:72:38:ee:cc:1c:01:a3:1d:94:28:a4:
         31:f6:7a:c4:54:d7:f6:e5:31:58:03:a2:cc:ce:62:db:94:45:
         73:b5:bf:45:c9:24:b5:d5:82:02:ad:23:79:69:8d:b8:b6:4d:
         ce:cf:4c:ca:33:23:e8:1c:88:aa:9d:8b:41:6e:16:c9:20:e5:
         89:9e:cd:3b:da:70:f7:7e:99:26:20:14:54:25:ab:6e:73:85:
         e6:9b:21:9d:0a:6c:82:0e:a8:f8:c2:0c:fa:10:1e:6c:96:ef:
         87:0d:c4:0f:61:8b:ad:ee:83:2b:95:f8:8e:92:84:72:39:eb:
         20:ea:83:ed:83:cd:97:6e:08:bc:eb:4e:26:b6:73:2b:e4:d3:
         f6:4c:fe:26:71:e2:61:11:74:4a:ff:57:1a:87:0f:75:48:2e:
         cf:51:69:17:a0:02:12:61:95:d5:d1:40:b2:10:4c:ee:c4:ac:
         10:43:a6:a5:9e:0a:d5:95:62:9a:0d:cf:88:82:c5:32:0c:e4:
         2b:9f:45:e6:0d:9f:28:9c:b1:b9:2a:5a:57:ad:37:0f:af:1d:
         7f:db:bd:9f

 

This is the guts of the Go Daddy cert bundle minus the root CA

# openssl x509 -in gd_bundle-g2-g1.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2
        Validity
            Not Before: May  3 07:00:00 2011 GMT
            Not After : May  3 07:00:00 2031 GMT
        Subject: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:e0:cb:10:d4:af:76:bd:d4:93:62:eb:30:64:
                    b8:81:08:6c:c3:04:d9:62:17:8e:2f:ff:3e:65:cf:
                    8f:ce:62:e6:3c:52:1c:da:16:45:4b:55:ab:78:6b:
                    63:83:62:90:ce:0f:69:6c:99:c8:1a:14:8b:4c:cc:
                    45:33:ea:88:dc:9e:a3:af:2b:fe:80:61:9d:79:57:
                    c4:cf:2e:f4:3f:30:3c:5d:47:fc:9a:16:bc:c3:37:
                    96:41:51:8e:11:4b:54:f8:28:be:d0:8c:be:f0:30:
                    38:1e:f3:b0:26:f8:66:47:63:6d:de:71:26:47:8f:
                    38:47:53:d1:46:1d:b4:e3:dc:00:ea:45:ac:bd:bc:
                    71:d9:aa:6f:00:db:db:cd:30:3a:79:4f:5f:4c:47:
                    f8:1d:ef:5b:c2:c4:9d:60:3b:b1:b2:43:91:d8:a4:
                    33:4e:ea:b3:d6:27:4f:ad:25:8a:a5:c6:f4:d5:d0:
                    a6:ae:74:05:64:57:88:b5:44:55:d4:2d:2a:3a:3e:
                    f8:b8:bd:e9:32:0a:02:94:64:c4:16:3a:50:f1:4a:
                    ae:e7:79:33:af:0c:20:07:7f:e8:df:04:39:c2:69:
                    02:6c:63:52:fa:77:c1:1b:c8:74:87:c8:b9:93:18:
                    50:54:35:4b:69:4e:bc:3b:d3:49:2e:1f:dc:c1:d2:
                    52:fb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
            X509v3 Authority Key Identifier:
                keyid:3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE

            Authority Information Access:
                OCSP - URI:http://ocsp.godaddy.com/

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.godaddy.com/gdroot-g2.crl

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: https://certs.godaddy.com/repository/

    Signature Algorithm: sha256WithRSAEncryption
         08:7e:6c:93:10:c8:38:b8:96:a9:90:4b:ff:a1:5f:4f:04:ef:
         6c:3e:9c:88:06:c9:50:8f:a6:73:f7:57:31:1b:be:bc:e4:2f:
         db:f8:ba:d3:5b:e0:b4:e7:e6:79:62:0e:0c:a2:d7:6a:63:73:
         31:b5:f5:a8:48:a4:3b:08:2d:a2:5d:90:d7:b4:7c:25:4f:11:
         56:30:c4:b6:44:9d:7b:2c:9d:e5:5e:e6:ef:0c:61:aa:bf:e4:
         2a:1b:ee:84:9e:b8:83:7d:c1:43:ce:44:a7:13:70:0d:91:1f:
         f4:c8:13:ad:83:60:d9:d8:72:a8:73:24:1e:b5:ac:22:0e:ca:
         17:89:62:58:44:1b:ab:89:25:01:00:0f:cd:c4:1b:62:db:51:
         b4:d3:0f:51:2a:9b:f4:bc:73:fc:76:ce:36:a4:cd:d9:d8:2c:
         ea:ae:9b:f5:2a:b2:90:d1:4d:75:18:8a:3f:8a:41:90:23:7d:
         5b:4b:fe:a4:03:58:9b:46:b2:c3:60:60:83:f8:7d:50:41:ce:
         c2:a1:90:c3:bb:ef:02:2f:d2:15:54:ee:44:15:d9:0a:ae:a7:
         8a:33:ed:b1:2d:76:36:26:dc:04:eb:9f:f7:61:1f:15:dc:87:
         6f:ee:46:96:28:ad:a1:26:7d:0a:09:a7:2e:04:a3:8d:bc:f8:
         bc:04:30:01

Hopefully this is what you were after. Let me know if there is any additional details I can provide.

Guru Elite

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

Please export the chain from ClearPass and upload (no private key).

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: EAP Transaction Timeout and Trusted Certificates on Windows Clients

I am stupid sorry. I will upload it.

 

I will send you pwd for zip via pm.

 

Looking at the certificate, it appears that the root CA is not shown in the chain, is this normal?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: