Security

Reply
Guru Elite

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Is the cert 2048-bit? 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Yes, the root CA cert as well as the clearpass cert use 2048 bit keys.

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:00:00:00:83:63:2a:5b:f5:5f:ae:0a:b3:00:01:00:00:00:83
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Validity
            Not Before: Jan 30 15:22:44 2016 GMT
            Not After : Jan 29 15:22:44 2018 GMT
        Subject: C=DE, ST=LS, L=Hannover, O=Hewlett Packard Enterprise, OU=HPE Aruba, CN=cppm01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:e8:4f:4c:ec:46:bc:52:50:b3:b3:cc:94:f9:
                    cc:c6:ff:92:fa:3e:40:f7:9c:55:06:b0:ea:9e:ed:
                    46:f4:51:c8:bf:54:71:a9:e1:a7:a3:cf:de:d9:a6:
                    f5:9f:ab:e4:1e:0b:66:36:ff:65:61:6a:7f:2a:fa:
                    7d:9b:f0:37:d9:27:73:ba:16:d9:a4:29:cb:17:c8:
                    0e:50:6b:ff:1e:f3:6f:35:37:2c:3f:88:dd:8e:57:
                    29:e0:cf:5f:4c:f0:6b:35:c5:78:a9:63:14:8a:63:
                    80:ee:6d:f1:33:03:56:62:b0:11:f9:45:72:c9:c8:
                    67:84:03:27:83:3b:3a:2d:d4:c8:7f:df:8a:d1:96:
                    a0:e6:11:34:69:9a:a2:f9:70:6e:b6:2a:77:b4:a6:
                    6d:13:e0:fc:db:e0:51:1d:e0:ee:bf:28:6c:bc:bb:
                    8c:c8:1f:9e:8f:cc:34:01:ee:2c:97:0c:5f:d8:20:
                    c3:98:b0:cd:ce:9a:4a:13:79:47:b3:ab:6f:30:06:
                    6e:50:92:08:83:6f:fe:2d:81:62:e0:2a:af:ad:23:
                    9c:5f:fa:39:58:5f:74:f6:e8:df:9e:13:24:9d:1b:
                    58:69:79:3f:a1:ea:ac:65:9f:d1:b5:5e:8c:b9:98:
                    ff:4c:dc:93:11:34:54:2d:ec:32:6e:13:ae:71:38:
                    34:c3
                Exponent: 65537 (0x10001)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            65:73:8e:08:85:cc:03:a6:42:bb:5e:96:5d:79:ec:d5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Validity
            Not Before: Jan 30 15:14:41 2016 GMT
            Not After : Jan 30 15:24:41 2036 GMT
        Subject: DC=demo, DC=hp, DC=networking, CN=HP-Networking-DC01-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8c:4a:be:8e:e4:2c:de:2e:91:db:e6:ff:12:1f:
                    df:05:72:d5:8b:75:3e:ba:57:ed:ef:0e:39:be:e9:
                    51:b5:10:6c:90:de:62:c0:3c:1f:ac:8e:ac:23:f5:
                    e0:52:c6:ef:78:40:1b:8e:37:8d:12:8f:88:bf:66:
                    4d:ed:75:56:5d:a4:63:1a:d2:f8:9c:bf:0a:d4:fa:
                    40:8c:03:4d:2d:af:ce:27:bb:72:c1:56:b5:53:3d:
                    5c:44:03:95:5c:9e:47:d2:6a:13:2f:e6:b8:70:f2:
                    38:42:d9:71:76:9d:e2:28:19:06:ad:c6:ae:c8:ca:
                    0f:52:19:ac:d1:67:de:7a:c4:c5:a3:e9:5c:35:c3:
                    da:45:a8:56:3f:ea:a3:5e:ae:1a:d0:e4:65:4f:bb:
                    c2:3f:ec:64:a7:7a:0e:bb:c9:56:d7:ed:57:56:a4:
                    5c:3a:0e:02:ac:2d:ed:96:aa:ff:4b:e1:63:1f:b1:
                    d3:78:b9:7b:80:f3:ec:2a:9d:aa:eb:cb:38:60:ed:
                    c9:24:b0:62:e9:a7:0f:51:07:d0:6d:3f:f9:00:13:
                    cf:2a:9b:17:34:c5:46:b9:2f:22:fd:ea:07:99:77:
                    38:c4:cc:b6:89:11:f9:6e:d6:1d:8a:9a:3b:77:4b:
                    de:29:39:18:9d:06:4d:26:45:d5:9e:07:e3:a8:b0:
                    b7:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
Guru Elite

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Do you see both the root and intermediate in the network config profile on the device? 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

Yes but there is no intermediate cert bedause the clearpass RADIUS cert is direclty issued by the root CA (its a test environment in this case).

The root CA cert as well as the clearpass RADIUS cert are installed and listed in the network config profile. That's why it looks strange to my. 

I also tryed the manual trust listbut the behaviour is the same.

 

Aruba Employee

Re: TLS authentication issue : EAP-TLS warning alert by client - close_notify

I have found the root cause for the failure. The apple devices (I believe since iOS 8) seems to require the RADIUS server explicitly to be added to the "Trusted Server Names" list otherwise the client rejects the server certificate. (Why couldn't Clearpass just add the CN and subject alternate name (DNS)  from the RADIUS server certificate automatically?)

I assumed that the client would check the common name (CN) but instead I had to add the subject alternat name that has been used in the RADIUS server certificate (DNS:clearpass.networking.hpe.demo). 

clearpass_onboard_trust_settings.JPG

Automatically configured trusted server list did not work for some reason.

The "Configure Trust" setting could stay @ automatic. The OnBoard client installed all necessary certificates.

 

Hope that helps.

 

Regards,

 

Jens

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: