Security

Reply
Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Can Clearpass 6.1 issues machine certs

I am trying to figure out how to do machine authentication via clearpass and am wondering if Clearpass is able to issue machine certificates for machine authentication?

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Can Clearpass 6.1 issues machine certs

I'm not 100% sure if the CPPM can issue machine certs, but I don't think that it can.

 

But you can do machine authentication without an individual cert. for the machine.

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Can Clearpass 6.1 issues machine certs

I wasn't holding out much hope that Clearpass could issue certs. But I image this is the only secure way of guaranteeing machine auth, is another secure method?

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Can Clearpass 6.1 issues machine certs

I can't 100% comment on the security level as I am still learning about machine and user auth. using 802.1.

 

But what we did was install the CPPM certificate onto our test machine. Then we setup an auth. source to search for our computer accounts in the LDAP and the machines were able to authenticate. The role that the machines receive is extremely restrictive, only giving access to DNS/DHCP, netbios, etc. As well in order to be able to authenticate as a machine the machine needs to be apart of our domain. We are also exploring the possibility of adding an attribute to the machines LDAP account to search for so that only machines that have been approved and have this unique attribute will be able to authenticatie.

 

It isn't perfect, but we didn't want to get into generating certs. for each individual machine.

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Can Clearpass 6.1 issues machine certs

Our customer requires machine certs for each machine which can be pushed from AD group policy. It would have been nice if clearpass could have done this via onboarding but I guess you cant have everything. Thanks.

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Can Clearpass 6.1 issues machine certs

Since your customer is AD, couldn't you setup an IAS server? I believe this is what is used in the Microsoft world to generate certs for the machines.

Yes, I do agree it would be nice if the ClearPass could do this. Perhaps that functioanlity might come later. I think though there might be some limitations based on the access the server would have within the AD domain? I could be wrong about that of course.

Super Contributor II
Posts: 429
Registered: ‎01-19-2011

Re: Can Clearpass 6.1 issues machine certs

The issue is not with the issuing of certs but with authenticating machines with certificates. How can Clearpass verify certificates?

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Can Clearpass 6.1 issues machine certs

Oh I see I see, my apologies!

 

I think I had read in a pdf about machine authentication using certs. with Aruba.

 

I will see if I can track it down.

 

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Can Clearpass 6.1 issues machine certs


Matt Finnie wrote:

The issue is not with the issuing of certs but with authenticating machines with certificates. How can Clearpass verify certificates?


Matt,

 

To authenticate Machine Certs issued from Active Directory CPPM would only need:

 

- A server certificate that is trusted by the clients (ideally it would be issued by the AD enterprise CA)

-The CA cert that issued the Machine Certs installed in ClearPass' Trusted Certificate Authorities Store

- A Service with the Authentication Method of EAP-TLS

- (Optional) Clearpass added to AD so that it can do authorization of the username on the certificate VIA LDAP/AD

- (Optional) an OCSP URL so that ClearPass can check for certificate Revocation.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: