Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

WPA3 Issues With Clearpass

This thread has been viewed 27 times

  • 1.  WPA3 Issues With Clearpass

    Posted Mar 02, 2023 08:49 AM

    We're deploying AP-655s and testing out WPA3 on Win10 laptops before pushing GPO changes.  On the mobility conductor, under the SSID profile, we're using transition mode and wpa3-aes-ccm-128.  Client-side, we're using EAP-TLS user/machine authentication and sending it to Clearpass.  Clearpass denies the authentication with an error message indicating the client's cert key is fewer than 3000 bits.  However, if we configure Clearpass to act as a RADIUS proxy and forward the authentications to Cisco ISE, the authentication passes and the test laptop connects.  Any idea why Clearpass would have an issue authenticating an EAP-TLS WPA3 authentication, whereas ISE does not?



  • 2.  RE: WPA3 Issues With Clearpass

    EMPLOYEE
    Posted Mar 06, 2023 09:41 AM

    WPA3 Enterprise requires RSA keys that are at least 3072 bits in size: https://www.mathyvanhoef.com/2018/03/wpa3-technical-details.html

    4. Increased Session Key Sizes

    Finally, the fourth improvement that WPA3 offers is increased key sizes. More specifically, they refer to the Commercial National Security Algorithms (CNSA) suite. This means WPA3 will support AES-GCM with 256-bit keys for encryption, and elliptic curve cryptography based 384-bit curves. Additionally, SHA384 of the SHA2 family will be used, and any employed RSA keys must be at least 3072 bits in size. All combined, this results in 192-bit security, because that's roughly the effective strength of 384-bit elliptic curves and SHA384.

    If your RADIUS server is not ready for WPA3, it may not enforce this requirement, but that's just a guess. You may work with Aruba Support if you need more info, but seems that your client certificates require an upgrade.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: WPA3 Issues With Clearpass

    Posted Mar 06, 2023 11:59 AM

    Thanks Herman.  I had read about that requirement, but it threw me since ISE didn't seem to care.  I'll do some more research to see why why it works with ISE.  Might be able to get security to issue me an upgraded cert and test with that as suggested. I'll follow-up once I've nailed this down.


    Original Message