5.2.3.3.1.10. TPM 2.0 signature issue

Windows clients that use the TPM 2.0 module to perform signatures for authentication with the RSA-PSS algorithms have trouble authenticating. The TPM 2.0 module leaves the signature blank so that when the request arrives at the RADIUS server it is impossible to authenticate.

We get the following RADIUS error:

TLS Alert write:fatal:decrypt error

We can apply a configuration from the authentication server to prevent Windows clients from using these signature algorithms.

To apply it:

  1. Copy the crypto policy file to the system directory:

cp -ipr /usr/share/opennac/utils/crypto-policies/OPENNAC.pol /usr/share/crypto-policies/policies/OPENNAC.pol

  1. Activate the policies:

update-crypto-policies --set OPENNAC

  1. Restart RADIUS service:

systemctl restart radiusd

Warning

This patch can cause problems during the update processes of the nodes where it is applied. If this is the case, disable OPENNAC crypto-policies and enable the DEFAULT before upgrading. After the update, restore the OPENNAC ones.