11-30-2015 08:59 AM
We are using EAP-TLS with user certificates, but now we want add a new security layer, we want verify that the user that is logged in the machines is the owner of the certificate.
In others words we don´t want that the certificate can be used by anyone that login into the machine.
We want to accomplish this with out using another SSID and without make changes in the clients. Is that possible?
11-30-2015 09:14 AM
What OS are the machines?
Are they AD joined?
How are configuring the supplicant? Manually or via Group Policy / .mobileconfig?
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
11-30-2015 10:01 AM
Can you try One-to-one mapping of certificates to user account so that Logged in User can use the cert store of his account alone. Details in the link below.
One-to-one mapping involves mapping a single user certificate to a single Windows 2000 user account. For example, assume you want to provide a Web page to your employees that will allow them to view and modify their deductions, manage their health care, and other benefits. You want this page to work over the Internet and remain secure. As a solution, you decide to use Windows 2000, certificates, and certificate mapping. You can either issue certificates to each of your employees from your own certificate service, or you can have your employees obtain certificates from a CA approved by your company. You then take these user certificates and map them to the employees' Windows 2000 user accounts. This allows users to connect to the Web page, using the Secure Sockets Layer (SSL) from anywhere by providing their client certificate. Users log on using their user account and normal access controls can be applied.
Abilash (ACCP, CWSP, CWAP, CWDP)
(Above answer is based on my knowledge and NOT an official statement from Aruba)
[Hit Kudos if my reply helps. ]
11-30-2015 11:23 AM
Many thanks for your response, but I understand that this is made in the active directory.
And in the other hand seems that I can´t verify it exactly.
"In this model, a user presents a certificate, and the system looks at the mapping to determine which user account should be logged on"
Is there another possibility using the EAP-TLS request from supplicant using rules in CPPM to verify that the user logged in the machine is using his certifcate and not has imported one from other user (the users has administrator privileges in their machines)?
12-01-2015 01:09 PM
If the clients are onboarded then the certificates would have client MAC Address which can be validated against the mac address in RADIUS request.
If not using onboard, might have to enable machine authentication using EAP-TLS. Machine certs are specific to the device and validates that its a CORP device.