Security

Reply
MVP
Posts: 1,413
Registered: ‎11-30-2011

ClearPass EAP TLS configuration

im looking at EAP TLS authentication and don't quite get the options in the configuration. basically ClearPass just passes the request on the the AD behind it which returns an OK or not OK?

 

why can you then set "Certificate Comparison" and what do the different options mean? with "Do not compare" is the certificate actually checked by the AD at all? and what if i select "Compare Common Name (CN)", who is comparing it then?

Contributor II
Posts: 48
Registered: ‎12-17-2012

Re: ClearPass EAP TLS configuration

Hello,

 

I am having the same problem with the EAP TLS authentication dialog box as 'boneyard' wrote back in July of 2012.

 

Its purely a problem of understanding the options presented in the EAP TLS authentication method dialog box. The CPPM online help isn't very helpful, either.

 

My basic question is about the options in the 'Method Details' part of the dialog box (see attached screenshot).

 

If I select 'Compare CN or SAN' for instance, against what is the client certificate being checked? Is it being checked against the certificates in the 'Trust List' that are enabled?

 

Thanks for your help!

 

cheers,

Harald

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: ClearPass EAP TLS configuration

Please see page 107 of the ClearPass Policy Manager user guide here:  http://support.arubanetworks.com/DesktopModules/Bring2mind/DMX/Download.aspx?TabId=77&DMXModule=512&Command=Core_Download&EntryId=10426&PortalId=0

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 48
Registered: ‎12-17-2012

Re: ClearPass EAP TLS configuration

Thanks for the reply!

 

The information on page 107 is the same as in the CPPM on-line help.

 

Still, I am not sure what to make of it. Maybe its a language problem or a lack of understanding on my side.

 

If I choose 'Compare CN or SAN' - does CPPM compare the client certificate against information stored in Active Directory? Or does CPPM compare the client certificate against its own internal Trust List?

 

cheers,

Harald

MVP
Posts: 371
Registered: ‎01-14-2010

Re: ClearPass EAP TLS configuration

All,

 

I was asked about this a little while ago and came up with a kludgy way to get around this with an Active Directory backend. The first set of commands are applied as a new filter under the Active Directory server itself. Here's how to pull it off:

 

1. Go to Configuration > Authentication > Sources > "Your AD Server"

2. Click on the "Attributes" tab

3. Click on "Add More Filters"

4. Click on the "Configuration" tab

5. Under "Filter Name" enter something relevant for you. I'm going to call it ToP-Test

6. Under "Filter Query" enter the following:

 

(&(userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountType=805306368))

 

7. Under "Name" enter the following: sAMAccountName

8. Under "Alias Name" enter the following: DisabledAccount

9. Under "Data Type" select "String"

10. Under "Enabled As" check the "Attribute" box

 

The second step is to make a change to the role or enforcement setting and add the following:

 

AND Authorization:<Your AD Server> DisabledAccount  NOT_CONTAINS  %{Radius:IETF:User-Name}

 

The above line will do a search for the username in the newly defined "DisabledAccount" field. Note you may have to clear the cache on the AD server after making these changes.

 

You'll now see under Access Tracker > "OnBoarding Connection" > Request Details > Input - that there's a new field that references the "DisabledAccount" with all of the disabled accounts from your AD server. The role or enforcement setting will compare the disabled accounts on your AD box with the username that you send. This allows you to still do a certificate EAP-TLS connection and also verify whether the account has been disabled in AD.

 

Let me know what you think - thanks!

 

-Mike

 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass EAP TLS configuration

Thank you for the info Mike.

There will be support coming for clearpass to natively check for account status "active or disable" instead of having to add userAccountControl.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
New Contributor
Posts: 3
Registered: ‎05-13-2013

Re: ClearPass EAP TLS configuration

Hi,

We are doing authentication againts the guest user database as they are company devices with guests using them.  Onboarding the TLS certificates allows for easy management of these devices.

 

The problem I have is that Account expiry and Account status (Active or disabled) does not have any effect on the authentcation of the TLS certificate.  I have tried looking for these fields so I could do an enforcement policy and/or Role mapping but I cannot see them. 

 

Am I missing something?  At the moment, I am getting the users to set the User Role to "Disabled" and this works. Ideally I would like accounts to expire automatically and cause the authentication to drop off.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass EAP TLS configuration

Are you looking at the AD for expiration or the age of the certificate?
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
New Contributor
Posts: 3
Registered: ‎05-13-2013

Re: ClearPass EAP TLS configuration

Not looking at AD at all, this is a guest user database.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass EAP TLS configuration

You will need to make sure in your authz in your service you have a query to check for account status.

If you use the guest Mac authentication service template it will create the source query automatically.

Add that source to your authz

In you enforcement add a post auth check for expiration. It should look a lot like the guest .1x service that was created using the template.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: