• After upgrading to Extreme Control 23.07 or above various 802.1x clients are failing to authenticate.
• 802.1x clients using certificates (PEAP, EAP-TLS, EAP-TTLS) are impacted.
• SHA1 certificate(s) or Control's original SHA1 self-signed untrusted default certificate are used.
• The radiusd service on Extreme Control does not start.
• Clients are being rejected and the following radius.log event is logged:

2023-08-15 23:19:49,882: Error: tls: (TLS) Failed reading certificate file "/opt/nac/radius/raddb/certs/selfsigned_server.pem": error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

• Extreme Control (NAC)
  • Software Release 23.07.10 and above.
• 802.1x
• SHA1

Extreme Control has removed support for SHA1-signed certificates by default starting with software release 23.07.10 and above.

The above failure is due to Extreme Control having one or more SHA1 signed certificates in the RADIUS or AAA Trusted Certificates configuration that are no longer supported.

An update to OpenSSL 1.1.1f has removed support for any SHA1 signed certificates which are now considered obsolete and insecure. As a result any server or client certificate using a SHA1 certificate will be rejected by OpenSSL..

OpenSSL has implemented a SECLEVEL security feature which default to SECLEVEL=2. For more information SECLEVEL please see Ubuntu OpenSSL / OpenSSL for additional details.

Extreme strongly recommends updating and replacing certificates used on Extreme Control for SHA256 or higher. Deprecation and discontinued use of SHA1 is an industry-wide progression which Extreme is now implementing.

The following workaround can be applied to re-enable SHA1 support in Extreme Control. Extreme does not recommend wide-spread use of or reliance of this workaround. It is provided and available as a temporary solution assuming a migration from SHA1 to SHA256 (or above) is underway.

Please note that the workaround must be applied on each individual Access Control Engine . After the workaround is applied, restart or re-enforce each Access Control Engine to effect the change.

1. Log into Control via SSH.

cd /etc/ssl cp openssl.cnf openssl.cnf.original

2. Add the following entries to the openssl.cnf file.

• Add the bold-highlighted line under the HOME / RANDFILE statements as shown:

# This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd openssl_conf = default_conf

• Add the following text to the bottom of the file as shown:

[ default_conf ] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.1 CipherString = DEFAULT:@SECLEVEL=1