Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clear Pass - EAP-TLS and user login

This thread has been viewed 2 times

  • 1.  Clear Pass - EAP-TLS and user login

    Posted Nov 30, 2015 12:00 PM

    We are using EAP-TLS with user certificates, but now we want add a  new security layer, we want verify that the user that is logged in the machines is the owner of the certificate.

    In others words we don´t want that the certificate can be used by anyone that login into the machine.

    We want to accomplish  this with out using another SSID and without make changes in the clients. Is that possible?

    Regards,

    EF



  • 2.  RE: Clear Pass - EAP-TLS and user login

    EMPLOYEE
    Posted Nov 30, 2015 12:15 PM
    What CA is issuing the certificate?
    What OS are the machines?
    Are they AD joined?
    How are configuring the supplicant? Manually or via Group Policy / .mobileconfig?


  • 3.  RE: Clear Pass - EAP-TLS and user login

    Posted Nov 30, 2015 12:39 PM
    Private CA from customer, the user's machine are windows joined into domain, and the supplicant is configures manually.
    Regards.

    EF


  • 4.  RE: Clear Pass - EAP-TLS and user login

    Posted Nov 30, 2015 01:02 PM

    Can you try One-to-one mapping of certificates to user account so that Logged in User can use the cert store of his account alone. Details in the link below.

     

    https://msdn.microsoft.com/en-us/library/bb742438.aspx

     

    One-to-One Mapping

    One-to-one mapping involves mapping a single user certificate to a single Windows 2000 user account. For example, assume you want to provide a Web page to your employees that will allow them to view and modify their deductions, manage their health care, and other benefits. You want this page to work over the Internet and remain secure. As a solution, you decide to use Windows 2000, certificates, and certificate mapping. You can either issue certificates to each of your employees from your own certificate service, or you can have your employees obtain certificates from a CA approved by your company. You then take these user certificates and map them to the employees' Windows 2000 user accounts. This allows users to connect to the Web page, using the Secure Sockets Layer (SSL) from anywhere by providing their client certificate. Users log on using their user account and normal access controls can be applied.



  • 5.  RE: Clear Pass - EAP-TLS and user login

    Posted Nov 30, 2015 02:23 PM

    Many thanks for your response, but I understand that this is made in the active directory.

    And in the other hand seems that I can´t verify it exactly.

    "In this model, a user presents a certificate, and the system looks at the mapping to determine which user account should be logged on"

    Is there another possibility  using the EAP-TLS request from supplicant using rules in CPPM to verify that the user logged in the machine is using his certifcate and not has imported  one from other user (the users has administrator privileges in their machines)?

     

    Regards,

     

    EF



  • 6.  RE: Clear Pass - EAP-TLS and user login

    Posted Dec 01, 2015 04:10 PM

    If the clients are onboarded then the certificates would have client MAC Address which can be validated against the mac address in RADIUS request.

     

    If not using onboard, might have to enable machine authentication using EAP-TLS. Machine certs are specific to the device and validates that its a CORP device.