For one of our customer, we are implementing 802.1X solution for wired and wireless clients, for windows, domain joined devices.

WLAN : Cisco WLC

RADIUS cert : Signed by public CA.

802.1X configuration on client : Through GPO

 

During implementation we came across a TLS session error as shown below:

All the client got rejected on the ClearPass with the error code 215. On the access tracker > alerts we saw below information:

Alerts –

Error Code: 215

Error Category: Authentication failure

Error Message: TLS session error

Alerts for this Request –

RADIUS: EAP-PEAP:fatal alert by client – access_denied\nTLS session reuse error

Observation:

1.  Authentication was successful  Before GPO update on client.

2.  Authentication failure  – After GPO update on client

We took a packet capture on client before GPO push and after GPO pushes.

+++ We took .ETL file on client for EAP analysis.

Below capture taken after GPO push. It is trying to change Cipher spec on secure socket layer.

PCAP taken before pushing the GPO. Client is able to authenticate successfully.

From our lab testing we found, this happens only when client is selected with  Notification before connect is set to ask users to authorize new servers or trusted root Trusted certificate authority was not selected on Client.

PEAP configuration includes an option that prevents the user from being prompted for certificate validation. This is the Do not prompt user to authorize new servers or trusted root certification authorities option. By default, this option is disabled. If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.

To overcome this problem:

We have to select trusted root certificate authorities on all the clients.

Since our servers RADIUS certificates are signed by public CA. We need to select same root certificate authorities on all the clients (We could push this configuration through GPO).

OR

Select  user if the servers identity can’t be verified.

 

 

Hope this helpful ! Cheer !

Prashant Harnal