What does the error code 215 on ClearPass mean ? And its possible solution.

For one of our customer, we are implementing 802.1X solution for wired and wireless clients, for windows, domain joined devices.

WLAN : Cisco WLC

RADIUS cert : Signed by public CA.

802.1X configuration on client : Through GPO

 

During implementation we came across a TLS session error as shown below:

All the client got rejected on the ClearPass with the error code 215. On the access tracker > alerts we saw below information:

Alerts –

Error Code: 215

Error Category: Authentication failure

Error Message: TLS session error

Alerts for this Request –

RADIUS: EAP-PEAP:fatal alert by client – access_denied\nTLS session reuse error

Observation:

1.  Authentication was successful  Before GPO update on client.

2.  Authentication failure  – After GPO update on client

We took a packet capture on client before GPO push and after GPO pushes.

+++ We took .ETL file on client for EAP analysis.

Below capture taken after GPO push. It is trying to change Cipher spec on secure socket layer.

PCAP taken before pushing the GPO. Client is able to authenticate successfully.

From our lab testing we found, this happens only when client is selected with  Notification before connect is set to ask users to authorize new servers or trusted root Trusted certificate authority was not selected on Client.

PEAP configuration includes an option that prevents the user from being prompted for certificate validation. This is the Do not prompt user to authorize new servers or trusted root certification authorities option. By default, this option is disabled. If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.

To overcome this problem:

We have to select trusted root certificate authorities on all the clients.

Since our servers RADIUS certificates are signed by public CA. We need to select same root certificate authorities on all the clients (We could push this configuration through GPO).

OR

Select  user if the servers identity can’t be verified.

 

 

Hope this helpful ! Cheer !

Prashant Harnal

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Wireless Survey

Table of contents: The document covers what is a wireless survey, why wireless survey, the

Get smarter about how networks can offer amazing experiences for your customers and your business.

Contact Us

Airowire Networks PVT LTD
530 Lawrence Expressway
Sunnyvale, California 94085

Services
Social Media Links

Airowire Networks PVT LTD
L-29, 3rd Floor, 2nd A Main,
HSR Layout Sector 6,
Bengaluru – 560102
080 6837 1900

Get smarter about how networks can offer amazing experiences for your customers and your business.

Contact Us

Global Offices

Branch Offices

Global Offices

US

530 Lawrence Expressway
Sunnyvale, California
94085

Singapore

Airowire Networks PTE LTD
160 Robinson Road #14-04
Spore Business Federation CTR Singapore 68914

Branch Offices

Hyderabad

Ikeva Workspace
8-2-624/A/1, Level 1, [email protected],
MB Towers, Road No. 10,
Banjara Hills – 500034

Mumbai

A12 Marol Mayur CHSL,
Military Road Marol,
Andheri East – 400059

Airowire Networks 2023. © All Rights Reserved Made with 💛 by The Web People

Contact Us
Contact Us
Scroll to Top