Security

hi,

 

I have a question that has driven me crazy for a few days ...
The title could be - credential caching in 802.1x (PEAP - MSCHAPV2)

The authentication model has to be 802.1x - for all types of mobile devices so I use PEAP.

The users reside in an external LDAP and the clearpass is already consulting it without problems. In principle all good.

The issue is that there are devices that perform radius: request every few minutes - I suppose it's because of roaming problems between APs. Whenever a change of AP occurs - a radius authentication request is generated

Do you think of any way to locally cache the identity of the client device, for example through the MAC address tuple and user name, to verify the existence of locally established session?

This does not progress requests to the LDAP.

 

I'm trying to store the Radius value: IETF: Calling-Station-Id in some local table (although I assume the known MAC addresses will be querible) and then - BEFORE Normal Authentication - check this table and compare it with the value new connection MAC device... it's very difficult to me.

 

Realy thanks - i know that not have to be easy

No, this is not feasible as its not the way the protocol is built. What you're seeing is normal. Clients that support fast reconnect will not require a full authentication on every roam event. FR is enabled by default in ClearPass.

 

It's not exactly clear what issue you're seeing.

 

Another option is to consider using a more modern authentication method like EAP-TLS that has a lower dependency on the identity store.

Thanks for your quick response

 

What I'm seeing is that - some specific devices - iphones, very specific linux, ... make an average of 60 radius requests every hour. All this requests are moved to the LDAP which already has a considerable workload. I would like to avoid this since these devices have already been authenticated and have a 14 hour session ...

AFAIK, iOS doesn't support Fast Reconnect. Your best bet would be to move away from legacy EAP methods like PEAP and over to EAP-TLS.

This way is totally discarded - due to the nature of the scenario - thousands of customers ...

 

Do you really think that you can not "store" part of an established connection information and that this authentication method is the initial of the devices when they connect to the wifi (802.1x) avoiding to use the user and password?

 

You do not know how I thank you for your opinion - thank you very much

That is essentially the premise of Fast Reconnect but not all devices support it.

What you're describing is not possible within the protocols that are in use.

Thanks for your opinion - now that I start to see it with more prespectiva it makes all sense what you say.

 

I suppose that in this sense EAP-TTLS would not solve anything.

EAP-TLS, not EAP-TTLS.

If I understood you correctly ... you proposed EAP-TLS (not EAP-TTLS) but for the scenario creating a certificate to each user would require a very large deployment - not viable.

 

EAP-TTLS has a functional architecture very similar to EAP-PEAP so it would not solve anything when the possibility of caching identities that avoid complete authentication. It is right?

Yes, certificate-based authentication is standard and always recommended, no matter the size of the environment.

Please, forgive me if I insist - I have possibilities and I think you can help me understand. would such a scenario be possible?

 

1.service_MAC_Authentication (allow unknows) Endpoint Phone Number EQUAL Radius: IETF: Calling-Station-Id Enforcement Allow Access

 

2.service_802.1x_Autentication (LDAP users) user_name / pass <---> Active Directory Enforcement Allow Access post-functionss Connection Client-Mac-address == (update_Endpoint) ==> Endpoint Phone Number

 

Questions

 

* I do not know if a Wi-Fi client (802.1x) can first go through a MAC authentication service. And the bad ones. Could this be the first service?

 

1. service_802.1x_Autentication Endpoint Phone Number EQUAL Radius: IETF: Calling-Station-Id Enforcement Allow Access

 

* That same client - could move to the second service if it does not find the MAC?

 

* In the second service - Is it possible to update a record with a value? or add a new field in Endpoints "client-mac" for use in the first service?

 

Thank you very much for your help understanding the operation of the clearpass

No, as I've mentioned, this is not possible.

thank you very much for your help

;)