05-02-2013 04:43 AM
I can't 100% comment on the security level as I am still learning about machine and user auth. using 802.1.
But what we did was install the CPPM certificate onto our test machine. Then we setup an auth. source to search for our computer accounts in the LDAP and the machines were able to authenticate. The role that the machines receive is extremely restrictive, only giving access to DNS/DHCP, netbios, etc. As well in order to be able to authenticate as a machine the machine needs to be apart of our domain. We are also exploring the possibility of adding an attribute to the machines LDAP account to search for so that only machines that have been approved and have this unique attribute will be able to authenticatie.
It isn't perfect, but we didn't want to get into generating certs. for each individual machine.
05-02-2013 04:51 AM
Our customer requires machine certs for each machine which can be pushed from AD group policy. It would have been nice if clearpass could have done this via onboarding but I guess you cant have everything. Thanks.
05-02-2013 05:04 AM
Since your customer is AD, couldn't you setup an IAS server? I believe this is what is used in the Microsoft world to generate certs for the machines.
Yes, I do agree it would be nice if the ClearPass could do this. Perhaps that functioanlity might come later. I think though there might be some limitations based on the access the server would have within the AD domain? I could be wrong about that of course.
05-03-2013 06:08 AM
Matt Finnie wrote:
The issue is not with the issuing of certs but with authenticating machines with certificates. How can Clearpass verify certificates?
To authenticate Machine Certs issued from Active Directory CPPM would only need:
- A server certificate that is trusted by the clients (ideally it would be issued by the AD enterprise CA)
-The CA cert that issued the Machine Certs installed in ClearPass' Trusted Certificate Authorities Store
- A Service with the Authentication Method of EAP-TLS
- (Optional) Clearpass added to AD so that it can do authorization of the username on the certificate VIA LDAP/AD
- (Optional) an OCSP URL so that ClearPass can check for certificate Revocation.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs