Security

Reply
Contributor I
Posts: 30
Registered: ‎10-06-2015

Clear Pass - EAP-TLS and user login

We are using EAP-TLS with user certificates, but now we want add a  new security layer, we want verify that the user that is logged in the machines is the owner of the certificate.

In others words we don´t want that the certificate can be used by anyone that login into the machine.

We want to accomplish  this with out using another SSID and without make changes in the clients. Is that possible?

Regards,

EF

Guru Elite
Posts: 8,022
Registered: ‎09-08-2010

Re: Clear Pass - EAP-TLS and user login

What CA is issuing the certificate?
What OS are the machines?
Are they AD joined?
How are configuring the supplicant? Manually or via Group Policy / .mobileconfig?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 30
Registered: ‎10-06-2015

Re: Clear Pass - EAP-TLS and user login

Private CA from customer, the user's machine are windows joined into domain, and the supplicant is configures manually.
Regards.

EF
Aruba Employee
Posts: 49
Registered: ‎12-28-2012

Re: Clear Pass - EAP-TLS and user login

Can you try One-to-one mapping of certificates to user account so that Logged in User can use the cert store of his account alone. Details in the link below.

 

https://msdn.microsoft.com/en-us/library/bb742438.aspx

 

One-to-One Mapping

One-to-one mapping involves mapping a single user certificate to a single Windows 2000 user account. For example, assume you want to provide a Web page to your employees that will allow them to view and modify their deductions, manage their health care, and other benefits. You want this page to work over the Internet and remain secure. As a solution, you decide to use Windows 2000, certificates, and certificate mapping. You can either issue certificates to each of your employees from your own certificate service, or you can have your employees obtain certificates from a CA approved by your company. You then take these user certificates and map them to the employees' Windows 2000 user accounts. This allows users to connect to the Web page, using the Secure Sockets Layer (SSL) from anywhere by providing their client certificate. Users log on using their user account and normal access controls can be applied.

Thanks,
Abilash (ACCP, CWSP, CWAP, CWDP)
(Above answer is based on my knowledge and NOT an official statement from Aruba)
[Hit Kudos if my reply helps. ]
Contributor I
Posts: 30
Registered: ‎10-06-2015

Re: Clear Pass - EAP-TLS and user login

Many thanks for your response, but I understand that this is made in the active directory.

And in the other hand seems that I can´t verify it exactly.

"In this model, a user presents a certificate, and the system looks at the mapping to determine which user account should be logged on"

Is there another possibility  using the EAP-TLS request from supplicant using rules in CPPM to verify that the user logged in the machine is using his certifcate and not has imported  one from other user (the users has administrator privileges in their machines)?

 

Regards,

 

EF

Aruba Employee
Posts: 10
Registered: ‎05-27-2013

Re: Clear Pass - EAP-TLS and user login

If the clients are onboarded then the certificates would have client MAC Address which can be validated against the mac address in RADIUS request.

 

If not using onboard, might have to enable machine authentication using EAP-TLS. Machine certs are specific to the device and validates that its a CORP device.

Search Airheads
Showing results for 
Search instead for 
Did you mean: