Security

Hi Guys,

i'm having issue while onboarding. other devices except apple's works fine.

this issue appears after the onboarding process completed and the client attemps to connect with EAP-TLS.

the authentication and enforcement seems to work fine but with an alert causing the user association fails.

this is the alert:

RADIUS

EAP-TLS: warning alert by client - close_notify eap-tls: Error in establishing TLS session

i have seen another thread suggesting to configure the network trust policy to 'manually configure' which i already did but the error still appears.

any suggestion?

 

Ricky Lie

CWNA, ACMP

 

What version of ClearPass?

Sent from Nine

The error means the client doesn't trust the server cert being presented. 

bump.

i just upgraded the server to 6.5.5.78974 but still same error occurs.

i already set the server trust to manual and input both clearpass and CA server there to be trusted (my cppm server is an intermediate CA server).

this issue only appears on iOS9 either on iPhone5 or iPhone6, iPhone4/5 running iOS8 or lower works well.

anyone got any clue how to fix this?

 

Ricky

this is the 4 lines showing error in the logs from debugging.

 

2016-01-21 08:44:30,036	[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2016-01-21 08:44:30,036	[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2016-01-21 08:44:30,036	[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
2016-01-21 08:44:30,036	[Th 34 Req 10833 SessId R000004e9-13-56a037fd] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

Ricky,

again this is a client issue where the device does not have the full trust chain installed. There is nothing to do on the CPPM side except make sure you have included the full chain on the mobile device if you onboarded them. Some certs have more than one intermediate certs so you will need to make sure you include all of them.

Hi Tarnold,

 

could you explain more about: "make sure you have included the full chain on the mobile device if you onboarded them."?

 

is this mean both client and server certificate?

i have 6 clearpass servers where all works as intermediate servers.

 

Ricky

Hi Ricky,

 

I believe, Tory was talking about Radius server certificate.

 

Could you share the screen captures of Radius Server certificate and Onboard >> Configuration >> Network Setings >> Trust?

Hi Saravanan,

 

attached.

i the name i input there is the root CA. my CPPM acts as intermediate CA.

 

Ricky

 

Hi Ricky,

 

Can you attach the screen capture of ClearPass Radius server certificate(Administration >> Certificates >> Server Certificates), If possible, export the radius server cert and attach it.

 

Can you also try removing the "Trusted Server Names" under Trust and test provisioning the iOS device?

Hi Saravanan,

sorry i cannot attach it, it's my customer's private cert, contains vital information.

i already make sure that the clearpass server's root CA comes from customer's AD root CA server.

and the root CA is already listed in the trust cert.

 

Ricky

Hi Ricky,

 

What I want to confirm is the SAN entries in the radius certificate. I recently ran into the same issue with iOS devices when the Subject Alternative Name(DNS entries) in the radius certificate doesn't match the Trusted Server Names,listed under the Network Settings >> Trust.

 

Did you try removing the following entries from the Trusted Server Names and then re-provisioning the iOS9? 

 

smig-NPSJKT01-CA

*.smig.corp

communications server

 

 

 

All,

i open a TAC case and found the problem is in the trust chain configuration.

 

i configured the CSR directly to the root CA but TAC asked me to redo the CSR to clearpass onboard first as the subordinate.

all iOS 9 can do TLS fine for now.