Wireless Access

last person joined: 18 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

This thread has been viewed 36 times

  • 1.  CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

    Posted Jun 02, 2014 12:58 AM

    Hi Airheads,

    Good Morning,

     

    One of my clients is trying to configure CPPM to work 802.1x wireless with- EAP Fast -with Avaya 6140 phones.

    my issue is that he keeps getting an error:

    Capture.PNG

     

    Request log details for session: R00380708-57-5382f828

    Time Message

    2014-05-26 11:15:36,931[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: Starting Service Categorization - 228:232:00-90-7a-0c-34-a5
    2014-05-26 11:15:36,934[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888858 h=607 r=R00380708-57-5382f828] INFO Core.ServiceReqHandler - Service classification result = RA_EAP_FAST_wifi
    2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: The request has been categorized into service "RA_EAP_FAST_wifi"
    2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_eap_fast: Initiate
    2014-05-26 11:15:36,935[Th 1070 Req 45743848 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 228:96:00-90-7a-0c-34-a5:0x0030007c002c003ae8feb902558032407db82f06c1c18ca8bd0f4779
    2014-05-26 11:15:36,952[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "RA_EAP_FAST_wifi" - 229:305:00-90-7a-0c-34-a5
    2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure
    2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client hello C
    2014-05-26 11:15:36,954[Th 1065 Req 45743850 SessId R00380708-57-5382f828] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
    2014-05-26 11:15:36,955[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.
    2014-05-26 11:15:36,956[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
    2014-05-26 11:15:36,956[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO Common.EndpointTable - Returning NULL (EndpointPtr) for macAddr 00907a0c34a5
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 r=psauto-1381653112-14888859 h=655 r=R00380708-57-5382f828] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 h=77515033 c=R00380708-57-5382f828] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Started ***
    2014-05-26 11:15:36,957[RequestHandler-1-0x7f7bcafb7700 h=77515035 c=R00380708-57-5382f828] INFO Core.PETaskRoleMapping - Roles:
    2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515038 c=R00380708-57-5382f828] INFO Core.PETaskEnforcement - EnfProfiles: Allow Access Profile]
    2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515043 c=R00380708-57-5382f828] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
    2014-05-26 11:15:36,958[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] WARN Core.SessionInfoOperations - Skip SessionInfoOperations::persistSessionInfo because of NULL NAD or NAD IP matching localhost
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] ERROR Common.NadClientTable - getNadClient: Unknown NadClient 10.234.36.5
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.PETaskRadiusEnfProfileBuilder - EnfProfileAction=ACCEPT
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.PETaskRadiusEnfProfileBuilder - Radius enfProfiles used: Allow Access Profile]
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515039 c=R00380708-57-5382f828] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 h=77515044 c=R00380708-57-5382f828] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515042 c=R00380708-57-5382f828] WARN Core.PETaskPostAuthEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515042 c=R00380708-57-5382f828] INFO Core.PETaskPostAuthEnfProfileBuilder - getApplicableProfiles: No Post auth enforcement profiles applicable for this device
    2014-05-26 11:15:36,959[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515040 c=R00380708-57-5382f828] WARN Core.PETaskRadiusCoAEnfProfileBuilder - handleHttpResponseEv: Fetching Radius attributes from battery failed, errMsg=
    2014-05-26 11:15:36,962[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Received Accept Enforcement Profile
    2014-05-26 11:15:36,962[Th 1065 Req 45743850 SessId R00380708-57-5382f828] INFO RadiusServer.Radius - rlm_policy: Policy Server reply does not contain Posture-Validation-Response
    2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515046 c=R00380708-57-5382f828] INFO Core.XpipPolicyResHandler - populateResponseTlv: PETaskPostureOutput does not exist. Skip sending posture VAFs
    2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515046 c=R00380708-57-5382f828] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 h=77515045 c=R00380708-57-5382f828] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
    2014-05-26 11:15:36,962[RequestHandler-1-0x7f7bcafb7700 r=R00380708-57-5382f828 h=77515033 c=R00380708-57-5382f828] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_RADIUS Completed ***

    TLS Alert write:fatal:handshake failure

     

     

    • might the error occuring because pac file was generated on cisco ACS?
    • I changed the authentication from eap-fast to peap
    • I also exported the CPPM  server certificate and uploaded  it to the phone getting same error

    RADIUS

    EAP-PEAP: fatal alert by client - unknown_ca

     


    anyone can advise?

    Me.



  • 2.  RE: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure
    Best Answer

    EMPLOYEE
    Posted Jun 02, 2014 03:27 AM

    The very last line tells what is wrong (from the Alert tab):

     

    RADIUS: EAP-PEAP: fatal alert by client - unknown_ca

     

    This means that your client is configured to connect to the 802.1x SSID, and is configured to validate the server certificate. Although the server certificate on your RADIUS is not trusted by your client configuration.

     

    In the Windows supplicant, this means that 'Validate Server Certificate' is switched on (1), and the server name (2) does NOT match, or the selected CA (3) does NOT match:

     

    validate123.png

     

    You probably use a different 802.1x supplicant, as you use PAC files. Similar configuration should be there.

     

    So check the settings for your client to validate the server certificate. IF you require the same client configuration as you use on your ACS, you may need to export the RADIUS certificate from ACS and import it into ClearPass as the RADIUS certificate.

     

    In recent ClearPass versions, you can install separate certificates for RADIUS and the HTTPS web server; make sure that you installed the correct certificate for RADIUS in your case.

     

    Herman



  • 3.  RE: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

    Posted Jun 02, 2014 03:47 AM
    I sent your post to my client - i hope it will give him a clue ( He using Avaya 6140 )


  • 4.  RE: CPPM - ERROR RadiusServer.Radius - TLS Alert write:fatal:handshake failure

    Posted Apr 07, 2015 09:57 PM

    Thanks alot for your reply

    it works fine with me 

    I added network profile on windows machine and removed Validate server certificate 

    or you had to distribute the CPPM Radius Certificate via CA Domain