Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

After Upgrading to 7.0.x NAC, 802.1x No Longer Works For Some End Systems Due to Certificate Cipher Strength

« Go Back

Information

 
TitleAfter Upgrading to 7.0.x NAC, 802.1x No Longer Works For Some End Systems Due to Certificate Cipher Strength
Symptoms
  • 802.1x no longer works for some End Systems after upgrade to NAC 7.0.x
  • Error logged like this one in NAC End System Events:

eap_peap:TLS Alert write:fatal:handshake failure eap_peap: SSL says: error:1408A0C1:SSLroutines:SSL3_GET_CLIENT_HELLO:no shared cipher eap_peap: SSL_read failed in asystem call (-1), TLS session failed eap_peap: TLS receive handshake failedduring operation eap_peap: = fail eap: Failed continuing EAPPEAP (25) session. EAP sub-module failed" 
Environment
NAC 7.x or higher
Cause
7.0.x NAC versions have been upgraded to FreeRADIUS version 3.0.11 from the prior FreeRADIUS version 2.2.7.
In doing so several weak ciphers (RC4 and some other from the LOW/MEDIUM OpenSSL suites) were deactivated. 

 
Resolution
Apply these two Appliance Properties to the NAC appliance:

RADIUS_TLS_REMOVE_RC4_CIPHERS=false
RADIUS_TLS_CIPHER_LIST=DEFAULT
 
Additional notes
To add an Appliance Property, right click on the NAC appliance from NAC Manager and select "Appliance Properties". 

Add a new entry: RADIUS_TLS_REMOVE_RC4_CIPHERS as the Name and false as the Value. 
Add another entry: RADIUS_TLS_CIPHER_LIST as the Name and DEFAULT as the Value. 

Save and Enforce. 
Re-test. 


***Note that these Appliance Properties are case sensitive and need to to be like this below***

RADIUS_TLS_REMOVE_RC4_CIPHERS=false
RADIUS_TLS_CIPHER_LIST=DEFAULT

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255