In the process of installing ClearPass 6.11 with customers, Aranya has encountered a problem that occurs for some specific computers when certain conditions are met. The problem means that the computers cannot authenticate to the network. Below is a description of the problem and how it can be overcome in different ways.

Background

ClearPass 6.11 is based on a new underlying operating system, RedHat Enterprise Linux (RHEL), and therefore requires a reinstallation of the server if it is a physical server or a new server if it is virtual.

RHEL was chosen because the previous CentOS version was approaching end of life and would have had to be replaced anyway with a new OS. With RHEL, Aruba is better able to build a secure platform. ClearPass 6.11 introduces a number of new features, one of which is the introduction of a cryptographic algorithm called PSS RSA in ClearPass 6.11. This algorithm has been available in Windows for some time but has not been used because ClearPass did not support this algorithm.

Now that ClearPass supports PSS RSA, the computer will choose that algorithm. However, it has been found that a number of, mainly older, computers have a TPM chip that has a firmware version that has a bug that makes the signing not work properly.

Problems occur when the following factors are met:
– Computer with Windows 10 & 11
– Certificate in TPM chip
– TPM 2.0
– TPM Sub version 1.16
– ClearPass 6.11

Technical description of the problem and error symptoms

During the EAP phase of authentication, the client and ClearPass hands shake on which algorithm to use and agree that PSS RSA is the best common algorithm. If the certificate is stored in the TPM chip and the TPM sub version is 1.16, there is an error in that software version that causes the hash created to contain only zeros instead of the correct hash.

The TPM sub version can be updated on some computers, but some lack newer versions for the specific TPM chip. These computers cannot be updated to solve the problem. In these cases, the computers either need to be replaced or the algorithm deactivated.

The problem is described in the release notes for ClearPass 6.11 as a known bug with reference number CP-49353.

Symptom

From ClearPass, the most obvious symptom is that some clients cannot authenticate and the error message is this in the Access Tracker:

Error Code:215
Error Category:Authentication failure
Error Message:TLS session error
Alerts for this Request RADIUS EAP-TLS: fatal alert by server – decrypt_error
TLS Handshake failed in SSL_read with error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
eap-tls: Error in establishing TLS session
Screenshot of the ClearPass Access Tracker with the current error message.

On the client, the symptom is that it fails to authenticate to the network and is thus cut off from all communication.

Workaround

From ClearPass, nothing can be done about the problem at the moment as it is a client-related issue. However, a feature request has been sent to Aruba to get a possibility to disable PSS RSA with a setting in the administrative interface and Aruba has replied that they are looking into the possibilities.

For the client computers affected by this problem, the solution is to either update the TPM sub version to a higher version than 1.16 if it is available for the specific computer model.

If it is not available for the current computer model, PSS RSA needs to be disabled on the client side. This is most easily done with a GPO if it is a domain-connected computer. Alternatively, the settings are distributed by other means.

Since the client will not be able to access the web if it is affected by this bug, the fix should be applied before authentication starts to be handled by ClearPass 6.11.

If the problem is only discovered later, the changes can also be made manually or by script with a user with local admin privileges.

Disable PSS RSA in Windows

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Delete the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512

Screenshot of the Registry Editor showing the key to be modified.