We encountered the same issue. This is not actually a ClearPass issue. In 6.11, they are using a newer version of OpenSSL, which enforces the Extended Key Usage (EKU) field in the certificates used for authentication. The solution is to upgrade the Cisco CUCM server to v14 SU3 and regenerate the CAPF certificate that is issuing certificates to the phones. This new CAPF certificate will need to be imported to the trust list in ClearPass.
I know this is probably not what you want to hear, and it delayed my upgrade to 6.11 by a few months. But after working with Aruba TAC, there really isn't much they can do and it needs to be fixed on the Cisco side.
Original Message:
Sent: May 30, 2024 03:14 AM
From: One_go
Subject: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
We have just upgraded from 6.10 to 6.11 and we are facing this issue with our Cisco Phones as well. The problem is that the phones keep trying and trying (1 auth/second) and since we have more than 1000 phones the saturate ClearPass and the database fails... We are going to upgrade de CAPF etc. but in the meanwhile we have a problem...
Is there any workaround so that we can allow this phones with the unsupported certificate to connect?
I agree that this should be included in the 6.11 release notes as it is a very serious issue...
Original Message:
Sent: May 01, 2024 05:55 PM
From: scottdoorey
Subject: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
Carson, thankyou so much for the detailed response. This is 100% my issue and a testment to the power of Airheads community. TAC are still shuffling the ticket between timezones and asking me for screenshots 12 hours in!
This would have been a great inclusion in the release notes for 6.11!
Scott
Original Message:
Sent: May 01, 2024 12:42 PM
From: chulcher
Subject: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
This is actually a problem based on the root/intermediate CA that issued the certificate to the phone, and a change in how OpenSSL goes about verifying the trust that was introduced in the version that is now used in ClearPass 6.11.
Issue is due to the check introduced in OpenSSL 1.1 to verify the Extended Key Usage(EKU) purpose of the CA cert and confirm if the CA cert has "Client Authentication" as the EKU purpose.
OpenSSL 1.1 is checking to see if the CA certificate presented has "Client Authentication" purpose present under Extended Key Usage(EKU). This check was not present in OpenSSL 1.0.x version which is currently used in 6.9/6.10 due to which the authentications were working fine.
In this case, the CA is a Cisco Certificate Authority Proxy Function (CAPF) on the Cisco Call Manager running 14SU2 version that issues client certs to the phones.
The self signed CA cert has only "Server Authentication" as the EKU purpose. However the client certs have 3 EKU's: Server Authentication, Client Authentication, IPSec End System.
Security Guide for Cisco Unified Communications Manager Release 14 and SUs - Certificates [Cisco Unified Communications Manager (CallManager)] - Cisco
The expected fix for this appears to require an upgrade of CUCM, new CA cert, and issuing new certificates to the phones.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Apr 30, 2024 11:58 PM
From: scottdoorey
Subject: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
Hey Airheads,
Currently working through what appears to be a bug but looking to see if anybody else has solved it.
Have a customer running CPPM 6.10 and doing 802.1x EAP-TLS for Cisco Phones. Working fine but when we point the same certs at CPPM 6.11 it fails due to unsupported certificates.
The device certs have 3 EKU:
TLS Web Client Authentication
TLS Web Server Authentication
IPSEC End System
I suspect its this combination of usage types thats causing it to fail but curious as to why 6.11 is now strict when 6.10 works for the same cert.
Anybody else hit this?
Scott