Security

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

OpenSSL version used in 6.10 and earlier did not have support for RSA PSS forcing ClearPass to negotiate a different cipher suite and hence this issue is not seen in older versions. 6.11 with its updated openSSL module negotiates RSA PSS but fails due to the implementation bug on Microsoft side. So far it seems like only devices with TPM 2.0 revision 1.16 has this issue. If the device supports TPM upgrade, that is one way to fix the issue. However TPM update is not an option in all cases.

Work arounds are to disable RSA-PSS on windows client side or TPM update. If either these options doesn't work, TAC might be able to help disable TLS 1.2 from support shell.

Original Message:
Sent: Apr 21, 2023 03:58 AM
From: jonas.hammarback
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Thank you for the answer!

OpenSSL version used in 6.10 and earlier did not have support for RSA PSS forcing ClearPass to negotiate a different cipher suite and hence this issue is not seen in older versions. 6.11 with its updated openSSL module negotiates RSA PSS but fails due to the implementation bug on Microsoft side. So far it seems like only devices with TPM 2.0 revision 1.16 has this issue. If the device supports TPM upgrade, that is one way to fix the issue. However TPM update is not an option in all cases.

Work arounds are to disable RSA-PSS on windows client side or TPM update. If either these options doesn't work, TAC might be able to help disable TLS 1.2 from support shell.

Original Message:
Sent: Apr 21, 2023 03:58 AM
From: jonas.hammarback
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

OpenSSL version used in 6.10 and earlier did not have support for RSA PSS forcing ClearPass to negotiate a different cipher suite and hence this issue is not seen in older versions. 6.11 with its updated openSSL module negotiates RSA PSS but fails due to the implementation bug on Microsoft side. So far it seems like only devices with TPM 2.0 revision 1.16 has this issue. If the device supports TPM upgrade, that is one way to fix the issue. However TPM update is not an option in all cases.

Work arounds are to disable RSA-PSS on windows client side or TPM update. If either these options doesn't work, TAC might be able to help disable TLS 1.2 from support shell.

Original Message:
Sent: Apr 21, 2023 03:58 AM
From: jonas.hammarback
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

From my research, the issue is with TPM 2.0 firmware from the various hardware manufacturers. It is therefore not a Microsoft implementation issue, but a manufacturer-specific firmware issue. This is not listed in the Release Notes as a Behavior change. Many users reading the Release Notes do not comb through all the issues entries.

I realize this support allows enhancing FIPS support. Is Aruba planning an option to not negotiate RSA PSS in non-FPS systems for improved compatibility?  Most of the clients on our network are running Windows 10 and our testing has revealed these TLS compatibility issues. The majority of our clients are personally owned by students & staff so we have no control over firmware versions.

If we wish to maintain ClearPass support past the end of the year, we are forced to move to 6.11.x.  In my personal opinion, we need a more compatible solution that currently offered. We have been a ClearPass customer since the early days of Aruba's purchase of Avenda. This is the first time, in my memory, where we do not see a viable path to maintain product support. In fact, our proof of concept was before Aruba rebranded the product.

To reiterate, the above statements are based on my personal opinions and experiences with this product.
Thank you again for highlight this issue that i missed in the Release Notes.

OpenSSL version used in 6.10 and earlier did not have support for RSA PSS forcing ClearPass to negotiate a different cipher suite and hence this issue is not seen in older versions. 6.11 with its updated openSSL module negotiates RSA PSS but fails due to the implementation bug on Microsoft side. So far it seems like only devices with TPM 2.0 revision 1.16 has this issue. If the device supports TPM upgrade, that is one way to fix the issue. However TPM update is not an option in all cases.

Work arounds are to disable RSA-PSS on windows client side or TPM update. If either these options doesn't work, TAC might be able to help disable TLS 1.2 from support shell.

Original Message:
Sent: Apr 21, 2023 03:58 AM
From: jonas.hammarback
Subject: Clients affected by CP‑49353 in ClearPass 6.11 from Windows 10

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

Does it also appear with PEAP + EAP-TLS Method? We get all the time timeouts and don´t know why since 6.11

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

Hi

I don't know if it's an issue in PEAP with EAP-TLS as inner method as well, but I guess so.
Do you get any error message related to the timeouts?

Does it also appear with PEAP + EAP-TLS Method? We get all the time timeouts and don´t know why since 6.11

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

Unfortunatelly no, Only "Timeouts" in Reauthentication

Hi

I don't know if it's an issue in PEAP with EAP-TLS as inner method as well, but I guess so.
Do you get any error message related to the timeouts?

Does it also appear with PEAP + EAP-TLS Method? We get all the time timeouts and don´t know why since 6.11

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

Hi

Timeouts are often a result of a mismatch in the client configuration in relation to the ClearPass server certificate.
The client settings must allow the client to accept the Radius certificate.

The issue described seems to be another issue maybe better for a separate thread, or a TAC case.

Unfortunatelly no, Only "Timeouts" in Reauthentication

Hi

I don't know if it's an issue in PEAP with EAP-TLS as inner method as well, but I guess so.
Do you get any error message related to the timeouts?

Does it also appear with PEAP + EAP-TLS Method? We get all the time timeouts and don´t know why since 6.11

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is:

An update for anyone running into the same issue and need a quick guide how to solve the issue for the clients.
We implemented a fix by removing the PSS RSA algorithm for the customer with clients with this issue by pushing a GPO removing the keys below.

The values that need to be removed are found under:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Remove the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512


For clients that was already in a state where they could not authenticate we had to work around that by either allowing MAC authentication or in some cases manually disable the authentication on the switch port for some time to allow the client to retrieve the new settings in the GPO.

Hi

I have a customer affected by CP‑49353 in all 6.11.x versions (found in Policy manager section under Known Issues for 6.11.0 in the Release Notes) and got the information from the TAC that it's a client issue. The Windows client sends 256 zeroes instead of the sha256 hash.

Have anyone else encountered this issue and are able to tell if the it's works good to disable RSA PSS algorithm on the Windows client, any other issues arising?
I would also like to know is someone can explain why this is happening only when the clients connect to ClearPass 6.11.x and not earlier versions, like 6.10.x.

Is there a change in the lowest possible algorithm in 6.11 and this forces the client to negotiate a an algorithm that is poorly implemented on the Windows side?

The error message seen in Access Tracker is: