In the process of installing ClearPass 6.11 with customers, Aranya has encountered a problem that occurs for some specific computers when certain conditions are met. The problem means that the computers cannot authenticate to the network. Below is a description of the problem and how it can be overcome in different ways.
Background
ClearPass 6.11 is based on a new underlying operating system, RedHat Enterprise Linux (RHEL), and therefore requires a reinstallation of the server if it is a physical server or a new server if it is virtual.
RHEL was chosen because the previous CentOS version was approaching end of life and would have had to be replaced anyway with a new OS. With RHEL, Aruba is better able to build a secure platform. ClearPass 6.11 introduces a number of new features, one of which is the introduction of a cryptographic algorithm called PSS RSA in ClearPass 6.11. This algorithm has been available in Windows for some time but has not been used because ClearPass did not support this algorithm.
Now that ClearPass supports PSS RSA, the computer will choose that algorithm. However, it has been found that a number of, mainly older, computers have a TPM chip that has a firmware version that has a bug that makes the signing not work properly.
Problems occur when the following factors are met:
– Computer with Windows 10 & 11
– Certificate in TPM chip
– TPM 2.0
– TPM Sub version 1.16
– ClearPass 6.11
Technical description of the problem and error symptoms
During the EAP phase of authentication, the client and ClearPass hands shake on which algorithm to use and agree that PSS RSA is the best common algorithm. If the certificate is stored in the TPM chip and the TPM sub version is 1.16, there is an error in that software version that causes the hash created to contain only zeros instead of the correct hash.
The TPM sub version can be updated on some computers, but some lack newer versions for the specific TPM chip. These computers cannot be updated to solve the problem. In these cases, the computers either need to be replaced or the algorithm deactivated.
The problem is described in the release notes for ClearPass 6.11 as a known bug with reference number CP-49353.
Symptom
From ClearPass, the most obvious symptom is that some clients cannot authenticate and the error message is this in the Access Tracker:
Error Code: | 215 |
Error Category: | Authentication failure |
Error Message: | TLS session error |
Alerts for this Request RADIUS EAP-TLS: fatal alert by server – decrypt_error TLS Handshake failed in SSL_read with error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid eap-tls: Error in establishing TLS session |
On the client, the symptom is that it fails to authenticate to the network and is thus cut off from all communication.
Workaround
From ClearPass, nothing can be done about the problem at the moment as it is a client-related issue. However, a feature request has been sent to Aruba to get a possibility to disable PSS RSA with a setting in the administrative interface and Aruba has replied that they are looking into the possibilities.
For the client computers affected by this problem, the solution is to either update the TPM sub version to a higher version than 1.16 if it is available for the specific computer model.
If it is not available for the current computer model, PSS RSA needs to be disabled on the client side. This is most easily done with a GPO if it is a domain-connected computer. Alternatively, the settings are distributed by other means.
Since the client will not be able to access the web if it is affected by this bug, the fix should be applied before authentication starts to be handled by ClearPass 6.11.
If the problem is only discovered later, the changes can also be made manually or by script with a user with local admin privileges.
Disable PSS RSA in Windows
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003
Delete the following values:
RSAE-PSS/SHA256
RSAE-PSS/SHA384
RSAE-PSS/SHA512