Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10

This thread has been viewed 13 times

  • 1.  ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10

    Posted 14 days ago

    Hey Airheads,

    Currently working through what appears to be a bug but looking to see if anybody else has solved it. 

    Have a customer running CPPM 6.10 and doing 802.1x EAP-TLS for Cisco Phones. Working fine but when we point the same certs at CPPM 6.11 it fails due to unsupported certificates.

    The device certs have 3 EKU:
    TLS Web Client Authentication
    TLS Web Server Authentication 

    IPSEC End System

    I suspect its this combination of usage types thats causing it to fail but curious as to why 6.11 is now strict when 6.10 works for the same cert. 

    Anybody else hit this?

    Scott



  • 2.  RE: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10
    Best Answer

    EMPLOYEE
    Posted 14 days ago

    This is actually a problem based on the root/intermediate CA that issued the certificate to the phone, and a change in how OpenSSL goes about verifying the trust that was introduced in the version that is now used in ClearPass 6.11.

    Issue is due to the check introduced in OpenSSL 1.1 to verify the Extended Key Usage(EKU) purpose of the CA cert and confirm if the CA cert has "Client Authentication" as the EKU purpose. 

    OpenSSL 1.1 is checking to see if the CA certificate presented has "Client Authentication" purpose present under Extended Key Usage(EKU). This check was not present in OpenSSL 1.0.x version which is currently used in 6.9/6.10 due to which the authentications were working fine. 

    In this case, the CA is a Cisco Certificate Authority Proxy Function (CAPF) on the Cisco Call Manager running 14SU2 version that issues client certs to the phones. 

    The self signed CA cert has only "Server Authentication" as the EKU purpose. However the client certs have 3 EKU's: Server Authentication, Client Authentication, IPSec End System.

    Security Guide for Cisco Unified Communications Manager Release 14 and SUs - Certificates [Cisco Unified Communications Manager (CallManager)] - Cisco

    The expected fix for this appears to require an upgrade of CUCM, new CA cert, and issuing new certificates to the phones.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: ClearPass EAP-TLS "unsupported_certificate" on 6.11 but works on 6.10

    Posted 13 days ago

    Carson, thankyou so much for the detailed response. This is 100% my issue and a testment to the power of Airheads community. TAC are still shuffling the ticket between timezones and asking me for screenshots 12 hours in!

    This would have been a great inclusion in the release notes for 6.11!

    Scott


    Original Message