Security

Reply
MVP
Posts: 702
Registered: ‎12-01-2010

Cert only authentication (EAP-TLS)

I realize that issuing a cert from our Windows2008 CA,and manually importing it on a device circumvents nearly every feature of ClearPass, and probably makes more work for us in the long-run, but here's what we think we want to do:

 

  • Issue a machine cert from our Windows CA
  • Import that cert onto a wireless device (WindowsCE and WindowsEmbedded devices mostly) which is not a member of the Windows Domain.
  • Use that cert to authenticate the device to our EAP-TLS SSID

Right now the EAP-TLS is working correctly to authenticate Windows Domain member laptops.

On a deeper look, I see that the cert is being used to encrypt the Windows Domain machine name.

 

I'd really like to get ClearPass to grant a connection to any device bearing a valid certificate.

How do I (or can I) stop ClearPass from trying to verify user/password or machine-name?

 

Am I barking up the wrong tree?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Cert only authentication (EAP-TLS)

[ Edited ]

Can you verify your EAP-TLS configuration settings under Configuration --> Authentication --> Methods.   Depending on the version of CPPM, you may have multiple EAP-TLS configurations defined.   Check which one you have used in your service and check to see if the "Certificate Comparison" option is selected or not and also the Authorization Required check box (uncheck it).

 

 

Also, please confirm that the certificate you are importing into your WindowsCE devices contains the private key, and not just the public key and that the CPPM server has the Windows CA certificate imported as a trusted root CA.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 702
Registered: ‎12-01-2010

Re: Cert only authentication (EAP-TLS)

Thanks, you were right, and I'd already done those steps, just hadn't removed the domain-controller from the Authentication sources list. now the only thing it can test is the cert.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Contributor I
Posts: 23
Registered: ‎01-10-2014

Re: Cert only authentication (EAP-TLS)

Hey Matthew,

 

I have the same issue.

 

I don't know what to use as authentication source. I can't leave the field blank.

 

Have you got any hints for me?

 

Thanks in advance.

 

Best regards,

 

Marcel 

Moderator
Posts: 457
Registered: ‎11-09-2012

Re: Cert only authentication (EAP-TLS)

Guys,

 

As I understand this. You want to retain your exisitng MSFT CA PKI.... why not let CPPM issue client certs from ADCS..... we can interoperate, so you can onboard through CPPM but use the exisitng PKI CA.In short we generate a CSR and fire that to ADCS, get the cert and send it to the client.

 

This is fully documented in one of our technote availble from the support site.

 

ADCS with ClearPass Onboard v1.1.pdf

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor I
Posts: 23
Registered: ‎01-10-2014

Re: Cert only authentication (EAP-TLS)

[ Edited ]

Hey Danny,

 

thanks for your answer.

 

Unfortunately, this is not an option. Because the certificates will be automatically issued to IGEL ThinClients. The certs are still on the devices, but with no AD-Account.

 

However, my goal is to give any device Access to a specific SSID with a valid (not revoked) certificate.

 

Have you got any further ideas for the authentication source?

 

Best regards,

 

Marcel

 

----

History

- corrected some typing mistakes.

 

Contributor I
Posts: 23
Registered: ‎01-10-2014

Re: Cert only authentication (EAP-TLS)

Ok. I was a fool.

 

I had forgotten, that I must untick "Authorization Required" in the "Authentication Method".

 

Grrrr....

 

Thanks to very one who was involved.2015-03-11 09_55_09-ClearPass Policy Manager.jpg

Occasional Contributor I
Posts: 5
Registered: ‎04-29-2016

Re: Cert only authentication (EAP-TLS)

Hi Gentlemen,

 

I m facing kind of same issue. I m bit new to Aruba.  I got Aruba controller as well as Clearpass server to do the same TLS authentication colloborated with MAC Authentication.  My CA will be clearpass server it self.  Is there any guidance I can refer how to achive this done without onboarding.

1. Generate Cert and import to the client

2. Clearpass service should only do TLS and MAC auth and send enforcement to WLC

3. WLC will assign allowed profile with correct VLAN.

 

currently we are running 802.1x , onboarding for another SSID. I dont want to use same SSID for this requirement.  Please advice

 

thanks in Advance

Kind regards

Chaamas

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: Cert only authentication (EAP-TLS)

If you're CA is ClearPass, you'll be doing Onboarding. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 5
Registered: ‎04-29-2016

Re: Cert only authentication (EAP-TLS)

Thanks Tim. I would like to know without going to onboarding process, will I be able to import the cert into client and directly go to clearpass provision service? how should I configure the service for that? this client will not have username and password.

 

for MAC check, I can use static host list in enforcement policy.

 

thank you in advance

Kind regards

Chaamas

Search Airheads
Showing results for 
Search instead for 
Did you mean: