ClearPass can do TLS1.2 for sure; it looks to me that the client device doesn't support it.
In the pcap capture you should have a look at the SSL/TLS negotiations; both ends should tell what protocols/ciphers they support and pick one that both do.
The message
SSL23_GET_CLIENT_HELLO even suggests that the client is trying to do SSLv3, not even TLS... packet capture may provide more clarity on that. Do you have the specifications of the Zoll Medical device? Also, is it a new device or one that was introduced like 10 years ago? Older devices, and embedded devices may have outdated protocol support.
Do you have a specific reason to enable FIPS on ClearPass? FIPS mode is incompatible with many legacy devices as
all 'weak algorithms' are disabled. One clear example is EAP-MD5 which is used by older IP Phones (and other devices). If there is no strict need for FIPS, don't enable it as you can also just not use those protocols/algorithms. Unsure if you can in FIPS mode temporarily enable TLS1.0/1.1 to see if that resolves the issue? If you can, I would do that.
And would like to know as well the EAP type you are using (as asked by cjoseph)?
Have you tried if the device connects properly on a WPA2-PSK network? That, combined with profiling or manual attributes may be the workaround if WPA2-Enterprise with modern standards is not supported by the device.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 09, 2022 11:49 PM
From: BERNHARD HUSTOMO
Subject: Zoll Medical AED Device TLS 1.2 Handshake
Hmm...
Still does not answer who is not up to the TLS 1.2 standard, right ? ClearPass or Zoll.
There should be at least one indicator / parameters in the packet capture that we can see to conclude "oh this device does not support TLS 1.2" sort of.
This is what I am asking actually: what is the value that we should look for at the pcap ?
Anyone has any idea ?
Original Message:
Sent: Aug 09, 2022 02:29 PM
From: Unknown User
Subject: Zoll Medical AED Device TLS 1.2 Handshake
That error is indeed indicative of a TLS mismatch. Is the firmware updated on the Zoll device? Is the Zoll device configured for TLS 1.2? This really isn't a ClearPass problem but an endpoint problem.
Original Message:
Sent: Aug 09, 2022 01:08 PM
From: BERNHARD HUSTOMO
Subject: Zoll Medical AED Device TLS 1.2 Handshake
Hi All,
Anyone has issue with Zoll AED 3 device authenticating against ClearPass ?
Currently my settings are disabling support for TLS 1.0 and TLS 1.1 under Cluster-Wide Parameters.
My ClearPass also has FIPS enabled.
When the AED 3 device wants to authenticate, it straight away giving "handshake error unknown protocol" under Alerts @ Access Tracker.
When I capture and read using Wireshark, the Client Hello from the device are all the same as other devices. But, why can't it authenticate and seems ClearPass does not recognize the incoming packet from the AED 3 device.
Zoll's principal also states already that the device supports TLS 1.2.
What could be wrong with it ? Any idea ? What should I really check from the pcap to see if the device really 'complies' with what ClearPass expects ?
Alerts error message:
RADIUS TLS Handshake failed in SSL_read with error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
eap-tls: Error in establishing TLS session
Case opened: 5366264084
The TAC really irritating nowadays, I have already attached all the pcap files at the Case portal, but they never checked it ; keeps asking me what are the issues. You should really improve the SOP bruh ... !!