Security

Reply
Contributor I

Authentication Source when using Certificates

I created a self signed certificate and signing chain to test EAP-TLS authentication, and it's working great.

I'm curious, though, about the authentication source.

I have to pick something, so if I select Endpoint Repository, the user can authenticate properly (user name on the certificate is not present in Endpoint repository).

However, if I select an AD authentication source, authentication fails. (user name also not present in AD).

 

This seems like inconsistent behavior. Any reason why Clearpass checks for the user in AD, but not in the Endpoint Repository?

Thanks.

 

Guru Elite

Re: Authentication Source when using Certificates

Do you want to validate whether a user exists or just accept the certificate?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Authentication Source when using Certificates

I'm just trying to accept the certificate.

Guru Elite

Re: Authentication Source when using Certificates

OK, then create a new EAP-TLS method with authorization disabled.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Authentication Source when using Certificates

Ah, OK. That did the trick.

I think I was thrown off by the nomenclature used.

When using the default [EAP-TLS] Authentication method, the failed access tracker entries Alert tab says,

"EAP-TLS: Authentication failure, unknown user."

I'm guessing this is really more of an authorization failure?

Either way, the new EAP-TLS with no authorization method works fine.

Thanks.

 

Guru Elite

Re: Authentication Source when using Certificates

EAP-TLS has a "sub" authorization phase that's part of authentication. By default (the [EAP-TLS] method), we attempt to lookup the user in the authentication source as part of EAP-TLS authorization.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Authentication Source when using Certificates

What if i want to validate whether a user exists in AD not only checking certificate ? 

Guru Elite

Re: Authentication Source when using Certificates

Then leave authorization enabled.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Authentication Source when using Certificates

If the default EAP-TLS method choosed, with AD as Auth source, then access tracker is showing user (user@company.x) not found.

Actually, the main target is to authentiate users by AD certificate instead of username and password.

Guru Elite

Re: Authentication Source when using Certificates

Make sure your auth source is using the UPN. It defaults so sAMAccountName.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: