Security

Reply
Highlighted
MVP Expert

TLS authentication issue : EAP-TLS warning alert by client - close_notify

After the iOS device successfully passes the onboarding process is not able to authenticate .

 

I am able to authenticate with no issues Win7 and Android devices

 

2014-02-18 14_17_54-ClearPass Policy Manager - Aruba Networks.png

 

Cert issue?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Accepted Solutions
Highlighted

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Victor,

 

Based on the error the client isnt trusting either the Root CA, Intermediate or server cert. 

 

1. what version of CPPM?

2. did you combine the three when you added them into CPPM

3. You might need to change the network settings from auto to Manual on the trust.

 

trust.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post

Highlighted
MVP

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Had the same problem with IOS7 clients only. Turned out to be a trust issue.

 

"My issue turned out to be a trust issue.

 

Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

I had selected to automatically configure trust settings.

Even though the cppm ssl certificate included the entire chain this wasn't working properly.

 

The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.

View solution in original post

Highlighted
Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

I have found the root cause for the failure. The apple devices (I believe since iOS 8) seems to require the RADIUS server explicitly to be added to the "Trusted Server Names" list otherwise the client rejects the server certificate. (Why couldn't Clearpass just add the CN and subject alternate name (DNS)  from the RADIUS server certificate automatically?)

I assumed that the client would check the common name (CN) but instead I had to add the subject alternat name that has been used in the RADIUS server certificate (DNS:clearpass.networking.hpe.demo). 

clearpass_onboard_trust_settings.JPG

Automatically configured trusted server list did not work for some reason.

The "Configure Trust" setting could stay @ automatic. The OnBoard client installed all necessary certificates.

 

Hope that helps.

 

Regards,

 

Jens

 

 

View solution in original post


All Replies
Highlighted

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Victor,

 

Based on the error the client isnt trusting either the Root CA, Intermediate or server cert. 

 

1. what version of CPPM?

2. did you combine the three when you added them into CPPM

3. You might need to change the network settings from auto to Manual on the trust.

 

trust.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

View solution in original post

Highlighted
MVP

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Had the same problem with IOS7 clients only. Turned out to be a trust issue.

 

"My issue turned out to be a trust issue.

 

Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

I had selected to automatically configure trust settings.

Even though the cppm ssl certificate included the entire chain this wasn't working properly.

 

The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

 


Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found a post helpful or important? Click the "Thumbs Up" icon to give kudos.
-- Problem Solved? Click "Accept as Solution" in a post.

View solution in original post

Highlighted
MVP Expert

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

 

 

 

Thanks Troy,

 

1. what version of CPPM? 

6.2.5.60869 

2. did you combine the three when you added them into CPPM

I did

3. You might need to change the network settings from auto to Manual on the trust.

Just tried that but it didnt work maybe I am missing something else

 

 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Expert

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Thanks koenv,

 

Sorry don't understand this part : 

"Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates."

 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Expert

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

 

Im golden now.

 

I had to tweeked the different certs.

 

Thank you Guys

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
New Contributor

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Awesome this solved the issue for me on ver 6.3.1.4 with a godaddy cert which contained two intermediate CA's in the trust chain.  

 

Chopped up the certs individually, uploaded as trusted cert, and selected manually in network settings as shown below.

 

Bam.  Thank you!

 

Capture3.JPG

Highlighted
Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Hello, 

I have the exact same issue in a lab and a customer environment running CP 6.5.5.78974.

All devices can successfully onboard (windows, android, apple) but an iPhone cannot connect to the secure network. I get the alredy mentioned alert.clearpass_TLS_session_error.JPG

I alredy tried automatic and manual trust settings without success.

Looking at the iphone certificate trust list everything looks fine.

 

Can anyone help?

 

Thanks in advance.

 

Jens

Moderator

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

What is the root CA for your radius cert? 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

The root CA is private Microsoft CA.

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: