Issue with TLS v1.2,  iOS 9 and Aruba Networks Products.

In case you haven’t heard, iOS 9 and OSX 10.11 introduce App Transport Security (ATS), which uses TLS v1.2.   If you are going to have to support the new OSes, read on.  Bottom line, you’ll probably be looking at some upgrades of your Aruba software.

Apple plans to make ATS mandatory for all apps going forward, and this will affect both 802.1X and SSL authentication.  The Apple developer site says “Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key”.

For Aruba customers, if you are using ClearPass for 802.1X authentication (includes OnBoard clients), TLS v1.2 is supported in 6.5.2 and later (6.5.2 fixes a TLS v2.1 bug in 6.5.1).

If you are doing EAP termination (EAP offload) on an Aruba controller (instead of passing the 802.1X directly through to a RADIUS server), you’ll need ArubaOS or later (6.4.2.x is GA) or or later (6.4.3.x is currently EA).  But if you are just passing the 802.1X through to a RADIUS server (the most common scenario), the controller shouldn’t care and so shouldn’t need the upgrade.

If you are doing EAP pass through to a non-Aruba RADIUS server (e.g. Microsoft NPS) for 802.1X, check with your RADIUS vendor for TLS v1.2 support.

By the way, if you are upgrading a ClearPass VM to 6.5, please look at the attached updated hardware requirements doc.  Also, the doc says you need 2 GE ports on your VM, but one will still work.

As I said earlier, this isn’t just an 802.1X issue because TLS is also used for “SSL” (https) connections.  So this will have a pretty substantial impact across the internet because many apps and websites are running on older middleware servers that don’t use 2048-bit or greater “SSL” certs, and they don’t support TLS1.2.  

So just be aware that when your users migrate to IOS9 or OSX10.11 it will likely get pretty ugly for a short period of time as the web developers race to catch up.

UPDATE 08-28-2015:

A fellow Twitterer wanted us to clarify that the issue is not with TLS v1.2 "intolerance", or even support, but with the implementation of broken version of FreeRADIUS, 2.2.6 which is included in ClearPass. Support for TLS v1.2 was pre-existing and it was the updated FreeRADIUS implementation that was causing the issues.