ClearPass, HPE Aruba, Security

ClearPass 6.12 EAP-TLS Authentication Issues – “No Suitable Signature Algorithm”

René Jorissen on February 11, 2026 1 Comment • Tags: #611 #612 #clearpass #eap-tls #nosuitablesignaturealgorithm #rsa-pss

After upgrading a ClearPass cluster from 6.11.11 to 6.12, multiple customers ran into an issue where a significant number of clients could no longer authenticate using EAP-TLS.

The environment:

  • Certificates distributed via Microsoft Intune
  • WiFi profiles also deployed through Intune
  • Clients previously authenticated without issues against ClearPass 6.11.11

Immediately after the upgrade to 6.12, authentication failures started appearing in the Access Tracker with the following error:

Error code 215  
EAP-TLS: fatal alert by server - handshake_failure no suitable signature algorithm

First Thoughts: RSA-PSS

There are several posts online pointing toward RSA-PSS as the root cause. ClearPass 6.12 introduces changes in TLS handling, and the commonly suggested fix is:

Disable the TLS feature “Disable RSA-PSS Signature Suite in EAP-TLS”
(RADIUS Service Parameters → per ClearPass server)

So I did exactly that — set it to TRUE.

Unfortunately, this made things worse. After disabling RSA-PSS, none of the clients were able to authenticate anymore.

Time to dig deeper.

What Changed in 6.12? TLS 1.3.

Comparing authentication attempts between the old and new ClearPass servers revealed something important:

  • ClearPass 6.11 → EAP using TLS 1.2
  • ClearPass 6.12 → EAP using TLS 1.3

Starting with ClearPass 6.12, support for TLS 1.3 for EAP-TLS and PEAP (RFC 9190) was introduced.

Cluster-wide TLS 1.3 behavior is configurable under:

Administration → Server Manager → Server Configuration → Cluster Wide Parameters

You’ll find the following options:

  • Network (Default after upgrade): Disables TLS 1.3 for EAP and enables HTTPS 1.3 on all servers in the cluster. On new ClearPass installations this is the default setting. When an existing ClearPass server is upgraded from an earlier version to 6.12.0, this is the default setting after upgrade.
  • Admin: nables TLS 1.3 for EAP and the network, and disables TLS 1.3 for HTTP only, on all servers in the cluster. The Admin setting must be used in cases where client certificate-based authentications with SSO, OnGuard, or downloadable user roles are configured, as those do not work with TLS 1.3. Having the Admin setting as the default for upgraded servers ensures that if any of those configurations are present, the TLS setting will not interfere with them.
  • All: Disables TLS 1.3 for EAP on all servers in the cluster. To support CC mode, the All option is required.
  • None: Enables TLS 1.3 for EAP on all servers in the cluster. When the None option is enabled, TLS 1.3 is used as the preferred connection for systems that support it.

The TPM Angle

Buried in the 6.12 release notes is an important remark:

If a Trusted Platform Module (TPM) certificate with firmware version 1.16 is used and does not properly support the RSA-PSS algorithm, authentications fail.

In other words:

  • Older TPM firmware versions do not correctly support RSA-PSS.
  • TLS 1.3 prefers RSA-PSS.
  • Result: authentication failure with “no suitable signature algorithm”.

Source:
https://arubanetworking.hpe.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Content/ReleaseNotes/NewFeatures/NewFeatures-6.12.0.htm

What Finally Fixed It

In my case, the combination that resolved the issue was:

  1. Disable TLS 1.3 for Network (fallback to TLS 1.2)
  2. Disable RSA-PSS Signature Suite

After applying both changes:

  • Clients fell back to TLS 1.2 (confirmed in Access Tracker)
  • Devices with older TPM firmware versions authenticated successfully
  • EAP-TLS stability was restored

Takeaways

If you experience EAP-TLS failures after upgrading to ClearPass 6.12, check the following:

Check the following:

  • Are clients using TPM-based certificates?
  • What TPM firmware versions are in use?
  • Is TLS 1.3 enabled for EAP?
  • Is RSA-PSS enabled or disabled?

TLS 1.3 is a good step forward, but in mixed environments with older hardware TPM implementations, it can introduce compatibility issues.

Until TPM firmware is updated across the estate, falling back to TLS 1.2 may be the most pragmatic solution.

The following two tabs change content below.
My Twitter profileMy LinkedIn profile

René Jorissen

Co-owner and Solution Architect at QMonkeys
René Jorissen works as Solution Architect for QMonkeys in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like HPE Networks, FortiNet, SentinelOne, Phished, Holm Security, Microsoft services and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.
  1. IreneBer says:
    April 4, 2026 at 10:33 pm

    The industry of virtual gaming has expanded well past what anyone could have imagined a ten years ago. What was once a specialized interest has transformed into a global phenomenon, offering players an almost limitless variety of sites, titles, and experiences. If you’re a seasoned player or simply exploring about the options available, finding a casino that truly fits your playstyle is crucial to enjoying the journey.

    In today’s market, the landscape are more diverse than ever. Many casinos focus on lightning-fast cashouts, enabling players to access their funds in minutes rather than days. Other platforms build their reputation around huge game libraries, featuring thousands of pokies, live casino games, and one-of-a-kind titles you won’t find anywhere else. Then there are the crypto-focused platforms, where blockchain technology offers not just fast transactions, but a new level of trust and security.

    What defines a casino as genuinely “top-tier” really comes down to what you value most. For some, it’s the initial promotion—a substantial package that gives you additional value right from the start. For others, it’s the consistency of withdrawals, with the confidence that when you initiate a withdrawal, the experience will be seamless and predictable. And for plenty of players, it’s simply the overall experience: clean design, helpful customer service, and a mobile platform that works flawlessly on every screen.

    Over time, particular operators have consistently risen to the front. These are the casinos that bring together reputable credentials, a diverse range of payment methods, and a real dedication to customer care. https://www.jedinews.com/misc/articles/online-casinos-australia-2026-fast-payouts-instant-withdrawal-pokies/ embodies precisely that standard—a place where you can count on both excellence and reliability.

    Of course, the best way is to look around with a clear sense of what you’re after. Do you enjoy high-volatility games, or do you gravitate toward classic table games like baccarat or poker? Are you seeking a platform that embraces digital currency as a top priority, or do you feel more comfortable with the convenience of digital wallets and instant bank transfers? Knowing your own playstyle makes it much easier to find the perfect platform.

    In the end, the best online casino isn’t automatically the one with the flashiest promotion or the most impressive interface. It’s the one that feels dependable, that processes withdrawals as advertised, and that leaves you feeling at ease whenever you visit. If you’re prepared to explore what’s out there, don’t rush, compare a few options, and choose the platform that aligns with how you truly like to play.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.