This is actually a problem based on the root/intermediate CA that issued the certificate to the phone, and a change in how OpenSSL goes about verifying the trust that was introduced in the version that is now used in ClearPass 6.11.
Issue is due to the check introduced in OpenSSL 1.1 to verify the Extended Key Usage(EKU) purpose of the CA cert and confirm if the CA cert has "Client Authentication" as the EKU purpose.
OpenSSL 1.1 is checking to see if the CA certificate presented has "Client Authentication" purpose present under Extended Key Usage(EKU). This check was not present in OpenSSL 1.0.x version which is currently used in 6.9/6.10 due to which the authentications were working fine.
In this case, the CA is a Cisco Certificate Authority Proxy Function (CAPF) on the Cisco Call Manager running 14SU2 version that issues client certs to the phones.
The self signed CA cert has only "Server Authentication" as the EKU purpose. However the client certs have 3 EKU's: Server Authentication, Client Authentication, IPSec End System.
Security Guide for Cisco Unified Communications Manager Release 14 and SUs - Certificates [Cisco Unified Communications Manager (CallManager)] - Cisco
The expected fix for this appears to require an upgrade of CUCM, new CA cert, and issuing new certificates to the phones.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Apr 30, 2024 11:58 PM
From: scottdoorey
Subject: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
Hey Airheads,
Currently working through what appears to be a bug but looking to see if anybody else has solved it.
Have a customer running CPPM 6.10 and doing 802.1x EAP-TLS for Cisco Phones. Working fine but when we point the same certs at CPPM 6.11 it fails due to unsupported certificates.
The device certs have 3 EKU:
TLS Web Client Authentication
TLS Web Server Authentication
IPSEC End System
I suspect its this combination of usage types thats causing it to fail but curious as to why 6.11 is now strict when 6.10 works for the same cert.
Anybody else hit this?
Scott