Solved: Re: TLS Handshake fail - ISE 3.1

the_wizard · ‎05-12-2022

Hi!

We recently setup a new deployment with ISE 3.1 Patch 3. Our old setup is still up and running with ISE 2.7.

We took the backup from the 2.7 deployment and deployed into the 3.1 setup. Everything seemed fine at first glance.

The plan was to switchover to the new deployment but we expericened some problems when we did some testing with clients.

Using EAP-TLS

Windows 10 20H2 and some older 1909.

We have checked that the whole certificate chain is in the ISE.

Tried to upgrade to latest bios versions on the laptops if this has anything to do with the TPM chip as you can read the following in the release notes for 3.1 release.

"EAP-TLS Authentication Might Fail for Certificates Using TPM Module

In Cisco ISE Release 3.1, EAP-TLS authentication might fail for certificates using TPM module on Windows 10. This is an issue with the TPM module and not with Cisco ISE."

We're using EAP-TLS and getting problems when the user is authenticating. Machine authenting is working as expected but when the user is logging into the computer we get the "12508 EAP-TLS handshake failed" and an SSL error message (see screenshot)

So far we have not seen the problem on Windows 1909 version but all later versions seems to been affected.

We found this link on the microsoft forums and tried the registry fix and this solved the user auth as well.

https://docs.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-20-client-authentication-in-tls-12.html

We don't have any problems on our 2.7 deployment with these kind of issues so suspect that something has changed in the ISE 3.1 version.

Any ideas what has changed in ISE 3.1 and is there any way to fix it or is this a "client" problem?

the_wizard · ‎05-18-2022

Opened a TAC case and it seems that 3.1 using a diffrent SSL library/version. In patch 4 which should arrive in October you're able to choose the diffrent ciphers ISE will use to negogiate with the client so you can disable the RSA PSS which causes this problems.

View solution in original post

Marcelo Morais · ‎05-15-2022

Hi @the_wizard ,

please take a look at Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble.

Note: also please take a look at: CSCwb19635 ISE 3.1 EAP-TLS authentications might fail with certificates installed in TPM module.

Hope this helps !!!

RhysCrane2388 · ‎05-16-2022

Hi,

This is helpful, thank you, this looks like the problem we are having as well.

The only thing that has changed is the ISE version, so do you know if ISE handles this handshake with 256 0's differently? Has the openSSL version been updated between 3.0 and 3.1?

Marcelo Morais · ‎05-16-2022

Hi @RhysCrane2388 ,

not only it looks like a 3.1 specific in the ISE 3.1 Release Notes, but also at the CSCwb19635 Conditions description: "... ISE 3.1+ ...".

Please take a closer look to: Windows 10 TPM 2.0 Client Authentication in TLS 1.2 with RSA PSS making trouble.

" ... By disabling RSA PSS on the Client, the Client uses another cipher to sign the packet and then it works. ... "

" ...Keep in mind that this is only a workaround and should not be used as a final solution. We are actually still working with Microsoft on a solution. It's still not 100% clear if it's the TPM that is making the issue or if it is the OS. ... "

Maybe versions of ISE earlier than 3.1 handle RPA PSS differently than ISE 3.1.

Note: I dont't know if openSSL version has been updated. I'll take a look on that.

Regards

the_wizard · ‎05-18-2022

Opened a TAC case and it seems that 3.1 using a diffrent SSL library/version. In patch 4 which should arrive in October you're able to choose the diffrent ciphers ISE will use to negogiate with the client so you can disable the RSA PSS which causes this problems.