Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TLS Handshake Failure

This thread has been viewed 59 times

  • 1.  TLS Handshake Failure

    Posted Jun 23, 2016 06:34 PM

    Hi Airheads,

     

    In the process of migrating from an old ClearPass deployment running 6.2.6 to new one running latest version of 6.6.

     

    For the Corp SSID we're trying to migrate, clients are using EAP-TLS with a domain issued machine certificate to authenticate, with settings controlled by group policy. This is working when authenticating to the old ClearPass appliance.

     

    Trust chain is good, LDAP connection from new ClearPass appliance to the domain controller is working (using this for admin interface auth).

     

    When attempting a connection, Access Tracker is showing the below errors:

     

    RADIUS eap-tls: Error in establishing TLS session

     

    2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol


    2016-06-23 18:21:45,090 [Th 227 Req 1387679 SessId R00152c33-01-576b7ff7] ERROR RadiusServer.Radius - rlm_eap_tls: TLS Handshake failed

     

    Has anyone seen this before? Could it be to do with cipher support on the client?

    Same behaviour on Windows 7, 8.1, and 10.



  • 2.  RE: TLS Handshake Failure

    EMPLOYEE
    Posted Jun 23, 2016 06:37 PM
    You can try disabling TLS 1.2 and seeing if the behavior changes.





    Administration > Server Manager > Server Configuration > Service Parameters
    > RADIUS server > Disable TLS 1.2


  • 3.  RE: TLS Handshake Failure

    Posted Jun 23, 2016 07:42 PM

    Turns out the error message was caused because I had disabled TLS 1.0 in cluster wide parameters.

     

    If I force a Windows 10 client to use TLS 1.2 via regedit it works.

     

    Based on this MS KB article I thought that ClearPass should be advertising it supports TLS 1.2 and the client should connect using this? (TLS 1.2 is NOT disabled in RADIUS server parameters).

     

    https://support.microsoft.com/en-nz/kb/3121002



  • 4.  RE: TLS Handshake Failure

    Posted Oct 07, 2022 06:15 AM
    Thank you, I was stuck in the same issue with a Surface with windows 8.1, changing registry it work very fine.
    I

    ------------------------------
    Dario Nardello
    ACMP ACSP ACCP ACEP
    ------------------------------

    Original Message