Security

CPPM 6.6.5.93247

When trying to confure PEAP-MSCHAPv2 or EAP-TLS I cannot get a successful authentication when I disable TLS1.0 on the cluster-wide settings. upon further investigation it appears clients (Both Mac and Windows) initiate the Server certificate validation (part of EAP) with TLS 1.0, with this disabled in clearpass the request eventually times out. I did find the following registry hack form Microsoft that will fix Windows Boxes (https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows) but there is not fix for MAC (That I am aware of) am I the only one disabling TLS 1.0????

TLS Handshake failed in SSL_read with error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
eap-tls: Error in establishing TLS session

Hi,

From 6.6.x version , default TLSv1 will be in disabel state, whether to use this version or not is all depend on cusotmer.

If you have any legacy devices, it will use TLSv1 during authentication negotation it is device specific. We need to allow TLSv1 in CPPM for authentication to work , if deivces looking for TLSv1.

Regards,

Pavan

Pavan,

thanks for the information, since I am configuring CPPM to disable TLS 1.0 does that mean it will not negotiate with the client? what is the release/lifecycle information for 6.3 and 6.6.x ?

THX!

Tim,

Are there any documents I can reference for that information?

Ha. It's Apple. 😉

Nothing that I know of.