Security

Reply
Occasional Contributor II

802.1x EAP-TLS SSID for domain joined and intune joined devices

Hello Airheads,

 

We are running aruba 7240 controllers, and clearpass as radius server.

We are going to deploy a new SSID, where two types of devices shall be able to authenticate:

  • 802.1x EAP-TLS Machine certificate authentication for domain joined laptops (internal CA)
  • 802.1x EAP-TLS Client certificate from MS Intune (internal CA)

These two client types obtains their certificate from different internal certificate authoroties. The domain joined laptops, are of course in our active directory, while the devices "onboarded" in microsoft intune, is not.

 

What is the best way to configure clearpass policies for this setup? 

I am thinking about using a OCSP check against the CA for authorizing the intune devices, is that even possible?

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Both certs are issued from the same CA?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Hello Tim,

No the certs are issued from two different CA servers, one for domain computers, and one for MS Intune devices.

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

OCSP is used for real-time status checking. This would be the equivalent of a password check. This should be done in all cases, regardless of the CA.

 

Since you have two CA's, you can use the certificate's issuing CA as part of your policy. It's difficult to go into any more detail without any information about your end goal w.r.t. policy enforcement.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Seems like im on the right track then.

At the moment, I am only focusing on the Intune devices, and one of the CA's.

This is a screenshot of the service I have created, for using EAP-TLS and OCSP to check if the device certificate is valid.

Is this correctly configured, or am I missing something? Do I need the CA as a authentication source as well?

 ca-clearpass.png

 

Highlighted
Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Do the certs not have the OCSP URL embedded in the AIA attribute? You generally don't want to override the URL in the EAP method if it's available in the certificate.

 

You can also remove the strip rules as they don't apply here.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Hello, old post, but I'm hoping you may be able to assist. I'm working with a client on a similar deployment, using Intune devices with a dedicated CA. My knowledge of Intune is very limited, though fairly experienced with Clearpass, so I'm trying to learn more about this design.

 

You referenced a custom Authentication Method to point to the OSCP, was that required? Do you have any references that helped with this design? The authorization side of things with respect to Intune is working correctly, but now we're looking at the EAP-TLS authentication to Intune CA. I had previously assumed we only use Intune for Authorization, but apparently we use it for Authentication as well?.

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

OCSP is used for real time certificate status checks. Your client certificates should have an OCSP URL embedded so the EAP-TLS method will be configured to require OCSP.

I’m not sure I understand your question.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Ah, I haven't played with the OSCP Authentication method with EAP-TLS. I will do some more research. Really I'm just trying to track down more documentation so I can familiarize myself further with these concepts as they relate to Intune and Clearpass, as the current white papers and design guides that I've found don't address this specific deployment scenario.

 

Thanks!

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

OCSP is not unique to Intune or ClearPass. Do your certs have the OCSP URL in them?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: