Foro en Español

Reply
Highlighted
Contributor II

Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admin

Hola,

A día de hoy tenemos OnBoard funcionando perfectamente con nuestros SmartPhones corporativos: los usuarios se registran en un SSID dedicado, ejecutan el QuickConnect, que les descarga un certificado emitido por Clearpass y una vez configurado todo acceden al SSID de producción.

 

Hemos tratado de aplicar este mismo modelo al acceso con portátiles, pero el problema es que QuickConnect para Windows requiere permisos de Administrador para realizar las configuraciones necesarias y los usuarios no tienen permisos de Administrador.

 

En este enlace se indica que se pueden utilizar GPO para lograr esto, pero no se dan más detalles. Efectivamente podríamos generar una GPO con la configuración necesaria para conectarse directamente al SSID corporativo con WPA2-Enterprise con certificado, pero ¿cómo instalamos un certificado de usuario? Queremos que sea ClearPass quien emita estos certificados... ¿alguna idea?

 

Saludos

Contributor II

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Buenas, 

 

 Dentro de la configuracion de Onboard existe una opcion para este tipo de entornos.

 

 onboard.jpg

Si conoces las credenciales de administrador, los usuarios pueden realizar el despliegue y el propio Clearpass introduce el usuario y contraseña de Administrador para poder configurar ciertas partes que necesitemos.

 

Espero que sea de ayuda.

 

Un saludo.

 

Angel De la Encarnacion.

 

ACMP, ACCP, ACDX #544

Contributor II

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Hola, gracias por la rapidez!

 

No conocía esa opción... sin embargo no sé si nos sirve, debajo de la caja donde introducir las credenciales viene una nota:

 

"NOTE: This cannot be used on Windows 8 or above due to operating system limitations."

 

y justamente nuestros portátiles vienen con Windows 10.

 

¿Hay alguna solución para Windows 10?

 

Gracias!

Moderator

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Hola César

 

Como bien dices, un compañero nuestro se hizo un script hace bastante tiempo para hacer un "onboard" masivo. No he tenido ocasión de probarlo nunca, y desgraciadamente este compañero se marchó hace unos peses, así que no le puedo preguntar, pero quizá te funcione....

 

Pego textualmente el correo que nos envió:

 

Following that first questions, I did develop a simple script that get the name of your computer, generate all needed CRS, CRL and so on.

Once all the stuffs are ready, it gets a certificate from the ClearPass CA with SCEP and request a client certificate.

 

This has been deployed by a bank for 1500 devices in 10 minutes.

 

Note : This script could be improved to run with just a command line, but Aruba does not allow to run PS scripts on our laptops…

 

A ver si hay suerte :)

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Moderator

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Perdonad, acabo de darme cuenta de que tenía una versión más nueva del script y un correo en el que describe algunos problemas que tiene con equipos con Windows 7 (precisamente los que funcionan con lo que ha mandado Ángel). Ahí van ambos para que tengáis toda la info:

 

Hi Team,

 

I have a customer with around 1100 HP laptops (running on Windows 7) and 400 Microsoft Surface 3 (running on Windows 8.1).

We are using ClearPass today for Onboard, Guest, dynamic configuration of all the Cisco Switches.

 

At the moment, ClearPass is used as an PKI for all the Microsoft Surface 3 (they are not BYOD – and are prepared before sending to the users).

In order to achieve that configuration, I have developed a little script that would make an automated certificate distribution using SCEP and ClearPass.

Please find attached the ClearPass script that I wrote previously for this customer (as a global .zip package). This is fully working and customer is happy.

 

My issue is that this script make the use of the PowerShell (Import-PfxCertificate) command that cannot be applied with Windows 7.

 

I have tried to get around the problem with similar configuration but I did not manage to do it. For what I have seen the registry configuration does something different if you use certutil or Import-PFXCertificate.

·         Do you have some experience with these tools ?

·         Do you have customers with similar installs ?

·         How does OnBoard work ? How can I reach the guys that did develop OnBoard as he probably as working source code ?

 

In order to compare a working configuration and a non-working configuration, I have configure Onboard (perfectly working as expected) - bellow. I am stuck with a AcquireCredentialsHandle function (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374712(v=vs.85).aspx) that seems to be my issue.

 

In my case, I cannot use the OnBoard client in order to register 1100 devices that are already in the directory. I would assume it would be beneficial to have a solution that is fully working without OnBoard. Any suggestion would be very appreciated. If I am completely wrong, please let me know. I was thinking this would be an easy process with GPO and SCEP. It does not seems to be as simple as I was thinking - I have no Windows administration skills at all and I am sure you would have a lot of inputs.

  

[5556] 11-30 17:01:30:286: EAP-TLS using All-purpose cert

[5556] 11-30 17:01:30:286:  Self Signed Certificates will not be selected.

[5556] 11-30 17:01:30:286: EAP-TLS will accept the  All-purpose cert

[5556] 11-30 17:01:30:286: EapTlsInitialize2: PEAP using All-purpose cert

[5556] 11-30 17:01:30:286: PEAP will accept the  All-purpose cert

[5556] 11-30 17:01:30:286: EapTlsInvokeIdentityUI

[5556] 11-30 17:01:30:286: GetCertInfo flags: 0xa2

[5556] 11-30 17:01:30:286: GetDefaultClientMachineCert

[5556] 11-30 17:01:30:286: FCheckTimeValidity

[5556] 11-30 17:01:30:286: FCheckUsage: All-Purpose: 1

[5556] 11-30 17:01:30:286: DwGetEKUUsage

[5556] 11-30 17:01:30:286: Number of EKUs on the cert are 1

[5556] 11-30 17:01:30:286: Could not get identity from subject alt name.

[5556] 11-30 17:01:30:286: Cert's Identity didn't match this machine's Identity.  skipping this cert.

[5556] 11-30 17:01:30:286: FCheckTimeValidity

[5556] 11-30 17:01:30:286: FCheckUsage: All-Purpose: 1

[5556] 11-30 17:01:30:286: DwGetEKUUsage

[5556] 11-30 17:01:30:286: Number of EKUs on the cert are 1

[5556] 11-30 17:01:30:286: Could not get identity from subject alt name.

[5556] 11-30 17:01:30:286: Cert's Identity didn't match this machine's Identity.  skipping this cert.

[5556] 11-30 17:01:30:286: Did not find Machine Cert based on the given machinename, client auth, time validity. Using the first cert with Client Auth OID.

[5556] 11-30 17:01:30:286: GetDefaultClientMachineCert done.

[5556] 11-30 17:01:30:286: Got the default Machine Cert

[5556] 11-30 17:01:30:286: Successfully got certificate. Hash follows

[5556] 17:01:30:286: FA F1 BB A7 BD E2 00 5E CB 20 44 56 C5 6C EF 63 |.......^. DV.l.c|

[5556] 17:01:30:286: 7B 0F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 |{.w.............|

[5556] 11-30 17:01:30:286: EAP-TLS using All-purpose cert

[5556] 11-30 17:01:30:286:  Self Signed Certificates will not be selected.

[5556] 11-30 17:01:30:286: EAP-TLS will accept the  All-purpose cert

[5556] 11-30 17:01:30:286: EapTlsInitialize2: PEAP using All-purpose cert

[5556] 11-30 17:01:30:286: PEAP will accept the  All-purpose cert

[5556] 11-30 17:01:30:301:

[5556] 11-30 17:01:30:301: EapTlsBegin(host/admin)

[5556] 11-30 17:01:30:301: SetupMachineChangeNotification

[5556] 11-30 17:01:30:301: State change to Initial

[5556] 11-30 17:01:30:301: EapTlsBegin: Detected 8021X authentication

[5556] 11-30 17:01:30:301: MaxTLSMessageLength is now 16384

[5556] 11-30 17:01:30:301: CRYPT_E_NO_REVOCATION_CHECK will not be ignored

[5556] 11-30 17:01:30:301: Force IgnoreRevocationOffline on client

[5556] 11-30 17:01:30:301: CRYPT_E_REVOCATION_OFFLINE will be ignored

[5556] 11-30 17:01:30:301: The root cert will not be checked for revocation

[5556] 11-30 17:01:30:301: The cert will be checked for revocation

[5556] 11-30 17:01:30:301: Unable to read TLS version registry key, return code 2

[5556] 11-30 17:01:30:301:

[5556] 11-30 17:01:30:301: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:301: >> Received Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S

[5556] 11-30 17:01:30:301: EapTlsCMakeMessage, state(0) flags (0x1460)

[5556] 11-30 17:01:30:301: EapTlsReset

[5556] 11-30 17:01:30:301: State change to Initial

[5556] 11-30 17:01:30:301: EapGetCredentials

[5556] 11-30 17:01:30:301: Flag is Machine Auth and Store is local Machine

[5556] 11-30 17:01:30:301: GetCachedCredentials Flags = 0x1460

[5556] 11-30 17:01:30:301: FindNodeInCachedCredList, flags(0x1460), default cached creds(0), check thread token(0)

[5556] 11-30 17:01:30:317: The name in the certificate is: admin

[5556] 11-30 17:01:30:317: Will validate server cert

[5556] 11-30 17:01:30:333: MakeReplyMessage

[5556] 11-30 17:01:30:333: SecurityContextFunction

[5556] 11-30 17:01:30:333: InitializeSecurityContext returned 0x90312

[5556] 11-30 17:01:30:333: State change to SentHello

[5556] 11-30 17:01:30:333: BuildPacket

[5556] 11-30 17:01:30:333: << Sending Response (Code: 2) packet: Id: 2, Length: 107, Type: 13, TLS blob length: 97. Flags: L

[5556] 11-30 17:01:30:364:

[5556] 11-30 17:01:30:364: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:364: >> Received Request (Code: 1) packet: Id: 3, Length: 1034, Type: 13, TLS blob length: 4380. Flags: LM

[5556] 11-30 17:01:30:364: EapTlsCMakeMessage, state(2) flags (0x1400)

[5556] 11-30 17:01:30:364: MakeReplyMessage

[5556] 11-30 17:01:30:364: Reallocating input TLS blob buffer

[5556] 11-30 17:01:30:364: BuildPacket

[5556] 11-30 17:01:30:364: << Sending Response (Code: 2) packet: Id: 3, Length: 6, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:364:

[5556] 11-30 17:01:30:364: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:364: >> Received Request (Code: 1) packet: Id: 4, Length: 1030, Type: 13, TLS blob length: 0. Flags: M

[5556] 11-30 17:01:30:364: EapTlsCMakeMessage, state(2) flags (0x1410)

[5556] 11-30 17:01:30:364: MakeReplyMessage

[5556] 11-30 17:01:30:364: BuildPacket

[5556] 11-30 17:01:30:364: << Sending Response (Code: 2) packet: Id: 4, Length: 6, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:379:

[5556] 11-30 17:01:30:379: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:379: >> Received Request (Code: 1) packet: Id: 5, Length: 1030, Type: 13, TLS blob length: 0. Flags: M

[5556] 11-30 17:01:30:379: EapTlsCMakeMessage, state(2) flags (0x1410)

[5556] 11-30 17:01:30:379: MakeReplyMessage

[5556] 11-30 17:01:30:379: BuildPacket

[5556] 11-30 17:01:30:379: << Sending Response (Code: 2) packet: Id: 5, Length: 6, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:395:

[5556] 11-30 17:01:30:395: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:395: >> Received Request (Code: 1) packet: Id: 6, Length: 1030, Type: 13, TLS blob length: 0. Flags: M

[5556] 11-30 17:01:30:395: EapTlsCMakeMessage, state(2) flags (0x1410)

[5556] 11-30 17:01:30:395: MakeReplyMessage

[5556] 11-30 17:01:30:395: BuildPacket

[5556] 11-30 17:01:30:395: << Sending Response (Code: 2) packet: Id: 6, Length: 6, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:411:

[5556] 11-30 17:01:30:411: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:411: >> Received Request (Code: 1) packet: Id: 7, Length: 290, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:411: EapTlsCMakeMessage, state(2) flags (0x1410)

[5556] 11-30 17:01:30:411: MakeReplyMessage

[5556] 11-30 17:01:30:411: SecurityContextFunction

[5556] 11-30 17:01:30:442: InitializeSecurityContext returned 0x90312

[5556] 11-30 17:01:30:442: State change to SentFinished

[5556] 11-30 17:01:30:442: BuildPacket

[5556] 11-30 17:01:30:442: << Sending Response (Code: 2) packet: Id: 7, Length: 1492, Type: 13, TLS blob length: 2118. Flags: LM

[5556] 11-30 17:01:30:457:

[5556] 11-30 17:01:30:457: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:457: >> Received Request (Code: 1) packet: Id: 8, Length: 6, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:457: EapTlsCMakeMessage, state(3) flags (0x1400)

[5556] 11-30 17:01:30:457: BuildPacket

[5556] 11-30 17:01:30:457: << Sending Response (Code: 2) packet: Id: 8, Length: 642, Type: 13, TLS blob length: 0. Flags:

[5556] 11-30 17:01:30:551:

[5556] 11-30 17:01:30:551: EapTlsMakeMessage(host/admin)

[5556] 11-30 17:01:30:551: >> Received Request (Code: 1) packet: Id: 9, Length: 69, Type: 13, TLS blob length: 59. Flags: L

[5556] 11-30 17:01:30:551: EapTlsCMakeMessage, state(3) flags (0x1400)

[5556] 11-30 17:01:30:551: MakeReplyMessage

[5556] 11-30 17:01:30:551: SecurityContextFunction

[5556] 11-30 17:01:30:551: InitializeSecurityContext returned 0x0

[5556] 11-30 17:01:30:551: AuthenticateServer flags: 0x1400

[5556] 11-30 17:01:30:551: DwGetEKUUsage

[5556] 11-30 17:01:30:551: Number of EKUs on the cert are 1

[5556] 11-30 17:01:30:551: FCheckUsage: All-Purpose: 1

[5556] 11-30 17:01:30:551: Checking against the NTAuth store to verify the certificate chain.

[5556] 11-30 17:01:30:551: CertVerifyCertificateChainPolicy succeeded but returned 0x800b0112.Continuing with root hash matching.

[5556] 11-30 17:01:30:551: Root CA name: Graubuender Kantonalbank

[5556] 11-30 17:01:30:551: Found Hash

[5556] 11-30 17:01:30:567: Server name: gkpa021.gkb.ch

[5556] 11-30 17:01:30:567: Server name specified: gkpa021.gkb.ch;gkpa022.gkb.ch

[5556] 11-30 17:01:30:567: ValidateServerName

[5556] 11-30 17:01:30:567: CreateMPPEKeyAttributes

[5556] 11-30 17:01:30:567: State change to RecdFinished

[5556] 11-30 17:01:30:567: BuildPacket

[5556] 11-30 17:01:30:567: << Sending Response (Code: 2) packet: Id: 9, Length: 6, Type: 13, TLS blob length: 0. Flags:

[4356] 11-30 17:01:30:598:

[4356] 11-30 17:01:30:598: EapTlsMakeMessage(host/admin)

[4356] 11-30 17:01:30:598: >> Received Success (Code: 3) packet: Id: 9, Length: 4, Type: 0, TLS blob length: 0. Flags:

[4356] 11-30 17:01:30:598: EapTlsCMakeMessage, state(4) flags (0x1408)

[4356] 11-30 17:01:30:598: Negotiation result according to peer: success

[4356] 11-30 17:01:30:598: Negotiation successful

[4356] 11-30 17:01:30:598: SetCachedCredentials Flags = 0x1408

[4356] 11-30 17:01:30:598: AddNodeToCachedCredList, pEapTlsCb->fFlags(0x1408).

[4356] 11-30 17:01:30:598: FindNodeInCachedCredList, flags(0x1408), default cached creds(0), check thread token(0)

[4356] 11-30 17:01:30:598: GetNewCachedCredListNode

[4356] 11-30 17:01:30:598: Created a new EAPTLS_CACHED_CREDS,  pNode->dwCredFlags = 0x49

[4356] 17:01:30:598: FA F1 BB A7 BD E2 00 5E CB 20 44 56 C5 6C EF 63 |.......^. DV.l.c|

[4356] 17:01:30:598: 7B 0F 77 00 00 00 00 00 00 00 00 00 00 00 00 00 |{.w.............|

[4356] 11-30 17:01:30:598: EapTlsEnd

[4356] 11-30 17:01:30:598: EapTlsEnd(host/admin)

 

 

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Contributor II

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Wow vaya script.... gracias!

 

Lo he revisado entero y más o menos lo he entendido, aunque he de decir que mis conocimientos de PowerShell son mínimos o casi nulos... La cuestión es que me arroja un fallo que no termino de ver claro.

 

Entiendo que el fichero Aruba.PSCredential (ubicado en el subdirectorio PSCredentials) contiene el "SCEP Secret" configurado en la CA de ClearPass, es así? Si incluyo nuestro Secret en un fichero llamado así me da el error siguiente:

 

ConvertTo-SecureString : La cadena de entrada no tiene el formato correcto.
En C:\.....\deploy_ca_v2.ps1: 38 Carácter: 85
+ $SecUPword = get-content .\PSCredentials\Aruba.PSCredential | convertto-securestring <<<<  -key (1..16)
    + CategoryInfo          : NotSpecified: (:) [ConvertTo-SecureString], FormatException
    + FullyQualifiedErrorId : System.FormatException,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand

No sé si lo que digo es correcto, o si el contenido de ese fichero es para otra cosa.....

 

Gracias y un saludo!

Contributor II

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

¿Alguien que sepa de Powershell podría ayudarnos? No sé si abrir un caso es procedente, puesto que el script no es una solución Aruba sino que es un script desarrollado para una casuística específica en un lenguaje de scripting.

 

Saludos

Moderator

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Perdona, no había visto el mensaje anterior. Yo tampoco controlo demasiado, pero voy a ver si algún compañero me puede echar un cable.

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Contributor II

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

OK, muchas gracias!!

Aruba Employee

Re: Configuración de acceso WIFI WPA2-Enterprise con Certificados para usuarios sin permisos de admi

Cogemos el testigo. Te decimos algo pronto.

 

Saludos

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: