Security

Reply
Occasional Contributor II

802.1x EAP-TLS SSID for domain joined and intune joined devices

Hello Airheads,

 

We are running aruba 7240 controllers, and clearpass as radius server.

We are going to deploy a new SSID, where two types of devices shall be able to authenticate:

  • 802.1x EAP-TLS Machine certificate authentication for domain joined laptops (internal CA)
  • 802.1x EAP-TLS Client certificate from MS Intune (internal CA)

These two client types obtains their certificate from different internal certificate authoroties. The domain joined laptops, are of course in our active directory, while the devices "onboarded" in microsoft intune, is not.

 

What is the best way to configure clearpass policies for this setup? 

I am thinking about using a OCSP check against the CA for authorizing the intune devices, is that even possible?

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Both certs are issued from the same CA?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Hello Tim,

No the certs are issued from two different CA servers, one for domain computers, and one for MS Intune devices.

Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

OCSP is used for real-time status checking. This would be the equivalent of a password check. This should be done in all cases, regardless of the CA.

 

Since you have two CA's, you can use the certificate's issuing CA as part of your policy. It's difficult to go into any more detail without any information about your end goal w.r.t. policy enforcement.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Seems like im on the right track then.

At the moment, I am only focusing on the Intune devices, and one of the CA's.

This is a screenshot of the service I have created, for using EAP-TLS and OCSP to check if the device certificate is valid.

Is this correctly configured, or am I missing something? Do I need the CA as a authentication source as well?

 ca-clearpass.png

 

Highlighted
Guru Elite

Re: 802.1x EAP-TLS SSID for domain joined and intune joined devices

Do the certs not have the OCSP URL embedded in the AIA attribute? You generally don't want to override the URL in the EAP method if it's available in the certificate.

 

You can also remove the strip rules as they don't apply here.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: