Security

Hello Community, I'm looking for more information and insight about setting up EAP-TLS 192-bit CNSA auth using ClearPass. I can't find a lot of information on the nuances of successfully setting up 192-bit.

We have devices that need to be tested using this TLS auth type and we're using a Cisco C9800 controller with Cisco 9162 AP's authenticating to ClearPass. All our other EAP-TLS services are working correctly except this one. TLS certs are issued from a Microsoft enterprise CA and Sub CA. ClearPass RADIUS cert is issued from the same CA. 

Access tracker shows the client not responding to the access-challenge.

Additional reading i found mention that the entire Root/Sub/Issued cert chain all need to be signed with a SHA384 sig algorithm,  Key size ECC 384-bit, ECDSA_P384, etc? Currently we don't satisfy that requirement but can if needed.

I have a TAC case open for this but figured id ask if anyone has any useful information on this scenario.

Thank you, Todd

The most common issue when implementing WPA3-Enterprise is that the key material in the certificate is not strong enough. Check this post for a reference.

However that is for clients that authenticate. If I read your description correct, it works with same client and same ClearPass on other wireless, but not with this Cisco controller?

One other issue with EAP-TLS and increasing key sizes (as required by WPA3), is that the EAP Packets while carrying the Client certificate become to big and exceed the MTU somewhere in the path between the AP and ClearPass. It may be that the client does respond to the access-challenge, but that is with the client certificate and that packet is lost somewhere in the path. That would be something to further investigate. If that is the case, either make sure all network components support jumbo frames (including the vSwitch when using VMWare to run ClearPass on), or switch to RadSec which in addition to proper security uses TCP and avoids the MTU issue in that way.

Hope this helps, or with this in mind you may share some additional relevant information about your deployment.

Hello Community, I'm looking for more information and insight about setting up EAP-TLS 192-bit CNSA auth using ClearPass. I can't find a lot of information on the nuances of successfully setting up 192-bit.

We have devices that need to be tested using this TLS auth type and we're using a Cisco C9800 controller with Cisco 9162 AP's authenticating to ClearPass. All our other EAP-TLS services are working correctly except this one. TLS certs are issued from a Microsoft enterprise CA and Sub CA. ClearPass RADIUS cert is issued from the same CA. 

Access tracker shows the client not responding to the access-challenge.

Additional reading i found mention that the entire Root/Sub/Issued cert chain all need to be signed with a SHA384 sig algorithm,  Key size ECC 384-bit, ECDSA_P384, etc? Currently we don't satisfy that requirement but can if needed.

I have a TAC case open for this but figured id ask if anyone has any useful information on this scenario.

Thank you, Todd

Thank you Herman for the insight. To clarify the same client can authenticate using the same controller and ClearPass with a normal EAP-TLS service. Its only when trying EAP-TLS 192-bit it fails. Interesting info about MTU size, will definitely look further into that. As for the certificate the client cert is signed with the appropriate SHA384, ECC, etc. but the Sub CA and Root CA are not. They are standard SHA256RSA. I'm trying to get clarification if the entire chain needs to signed at SHA384. Thanks!

The most common issue when implementing WPA3-Enterprise is that the key material in the certificate is not strong enough. Check this post for a reference.

However that is for clients that authenticate. If I read your description correct, it works with same client and same ClearPass on other wireless, but not with this Cisco controller?

One other issue with EAP-TLS and increasing key sizes (as required by WPA3), is that the EAP Packets while carrying the Client certificate become to big and exceed the MTU somewhere in the path between the AP and ClearPass. It may be that the client does respond to the access-challenge, but that is with the client certificate and that packet is lost somewhere in the path. That would be something to further investigate. If that is the case, either make sure all network components support jumbo frames (including the vSwitch when using VMWare to run ClearPass on), or switch to RadSec which in addition to proper security uses TCP and avoids the MTU issue in that way.

Hope this helps, or with this in mind you may share some additional relevant information about your deployment.

Hello Community, I'm looking for more information and insight about setting up EAP-TLS 192-bit CNSA auth using ClearPass. I can't find a lot of information on the nuances of successfully setting up 192-bit.

We have devices that need to be tested using this TLS auth type and we're using a Cisco C9800 controller with Cisco 9162 AP's authenticating to ClearPass. All our other EAP-TLS services are working correctly except this one. TLS certs are issued from a Microsoft enterprise CA and Sub CA. ClearPass RADIUS cert is issued from the same CA. 

Access tracker shows the client not responding to the access-challenge.

Additional reading i found mention that the entire Root/Sub/Issued cert chain all need to be signed with a SHA384 sig algorithm,  Key size ECC 384-bit, ECDSA_P384, etc? Currently we don't satisfy that requirement but can if needed.

I have a TAC case open for this but figured id ask if anyone has any useful information on this scenario.

Thank you, Todd