Community Home > Discuss > Technology > Security > TLS authentication issue : EAP-TLS warning alert b...

Security

Reply
Guru Elite Guru Elite
Guru Elite
cappalli

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

‎01-30-2016 08:43 AM

Is the cert 2048-bit? 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 11 of 15
2,404 Views
Reply
0 Kudos
Aruba Employee
Aruba Employee
jensfluegel

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

‎01-30-2016 08:58 AM

Yes, the root CA cert as well as the clearpass cert use 2048 bit keys.

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:00:00:00:83:63:2a:5b:f5:5f:ae:0a:b3:00:01:00:00:00:83
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Validity
            Not Before: Jan 30 15:22:44 2016 GMT
            Not After : Jan 29 15:22:44 2018 GMT
        Subject: C=DE, ST=LS, L=Hannover, O=Hewlett Packard Enterprise, OU=HPE Aruba, CN=cppm01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:e8:4f:4c:ec:46:bc:52:50:b3:b3:cc:94:f9:
                    cc:c6:ff:92:fa:3e:40:f7:9c:55:06:b0:ea:9e:ed:
                    46:f4:51:c8:bf:54:71:a9:e1:a7:a3:cf:de:d9:a6:
                    f5:9f:ab:e4:1e:0b:66:36:ff:65:61:6a:7f:2a:fa:
                    7d:9b:f0:37:d9:27:73:ba:16:d9:a4:29:cb:17:c8:
                    0e:50:6b:ff:1e:f3:6f:35:37:2c:3f:88:dd:8e:57:
                    29:e0:cf:5f:4c:f0:6b:35:c5:78:a9:63:14:8a:63:
                    80:ee:6d:f1:33:03:56:62:b0:11:f9:45:72:c9:c8:
                    67:84:03:27:83:3b:3a:2d:d4:c8:7f:df:8a:d1:96:
                    a0:e6:11:34:69:9a:a2:f9:70:6e:b6:2a:77:b4:a6:
                    6d:13:e0:fc:db:e0:51:1d:e0:ee:bf:28:6c:bc:bb:
                    8c:c8:1f:9e:8f:cc:34:01:ee:2c:97:0c:5f:d8:20:
                    c3:98:b0:cd:ce:9a:4a:13:79:47:b3:ab:6f:30:06:
                    6e:50:92:08:83:6f:fe:2d:81:62:e0:2a:af:ad:23:
                    9c:5f:fa:39:58:5f:74:f6:e8:df:9e:13:24:9d:1b:
                    58:69:79:3f:a1:ea:ac:65:9f:d1:b5:5e:8c:b9:98:
                    ff:4c:dc:93:11:34:54:2d:ec:32:6e:13:ae:71:38:
                    34:c3
                Exponent: 65537 (0x10001)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            65:73:8e:08:85:cc:03:a6:42:bb:5e:96:5d:79:ec:d5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Validity
            Not Before: Jan 30 15:14:41 2016 GMT
            Not After : Jan 30 15:24:41 2036 GMT
        Subject: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8c:4a:be:8e:e4:2c:de:2e:91:db:e6:ff:12:1f:
                    df:05:72:d5:8b:75:3e:ba:57:ed:ef:0e:39:be:e9:
                    51:b5:10:6c:90:de:62:c0:3c:1f:ac:8e:ac:23:f5:
                    e0:52:c6:ef:78:40:1b:8e:37:8d:12:8f:88:bf:66:
                    4d:ed:75:56:5d:a4:63:1a:d2:f8:9c:bf:0a:d4:fa:
                    40:8c:03:4d:2d:af:ce:27:bb:72:c1:56:b5:53:3d:
                    5c:44:03:95:5c:9e:47:d2:6a:13:2f:e6:b8:70:f2:
                    38:42:d9:71:76:9d:e2:28:19:06:ad:c6:ae:c8:ca:
                    0f:52:19:ac:d1:67:de:7a:c4:c5:a3:e9:5c:35:c3:
                    da:45:a8:56:3f:ea:a3:5e:ae:1a:d0:e4:65:4f:bb:
                    c2:3f:ec:64:a7:7a:0e:bb:c9:56:d7:ed:57:56:a4:
                    5c:3a:0e:02:ac:2d:ed:96:aa:ff:4b:e1:63:1f:b1:
                    d3:78:b9:7b:80:f3:ec:2a:9d:aa:eb:cb:38:60:ed:
                    c9:24:b0:62:e9:a7:0f:51:07:d0:6d:3f:f9:00:13:
                    cf:2a:9b:17:34:c5:46:b9:2f:22:fd:ea:07:99:77:
                    38:c4:cc:b6:89:11:f9:6e:d6:1d:8a:9a:3b:77:4b:
                    de:29:39:18:9d:06:4d:26:45:d5:9e:07:e3:a8:b0:
                    b7:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
Alert a Moderator
Message 12 of 15
2,402 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

‎01-30-2016 09:04 AM

Do you see both the root and intermediate in the network config profile on the device? 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 13 of 15
2,398 Views
Reply
0 Kudos
Aruba Employee
Aruba Employee
jensfluegel

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

‎01-30-2016 09:14 AM

Yes but there is no intermediate cert bedause the clearpass RADIUS cert is direclty issued by the root CA (its a test environment in this case).

The root CA cert as well as the clearpass RADIUS cert are installed and listed in the network config profile. That's why it looks strange to my. 

I also tryed the manual trust listbut the behaviour is the same.

 

Alert a Moderator
Message 14 of 15
2,397 Views
Reply
0 Kudos
Aruba Employee
Aruba Employee
jensfluegel

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

‎02-01-2016 01:57 PM

I have found the root cause for the failure. The apple devices (I believe since iOS 8) seems to require the RADIUS server explicitly to be added to the "Trusted Server Names" list otherwise the client rejects the server certificate. (Why couldn't Clearpass just add the CN and subject alternate name (DNS)  from the RADIUS server certificate automatically?)

I assumed that the client would check the common name (CN) but instead I had to add the subject alternat name that has been used in the RADIUS server certificate (DNS:clearpass.networking.hpe.demo). 

clearpass_onboard_trust_settings.JPG

Automatically configured trusted server list did not work for some reason.

The "Configure Trust" setting could stay @ automatic. The OnBoard client installed all necessary certificates.

 

Hope that helps.

 

Regards,

 

Jens

 

 

Alert a Moderator
Message 15 of 15
2,368 Views
Reply
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium