Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass RADIUS Authentication issue using 802.1X Wireless Service

This thread has been viewed 5 times

  • 1.  ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Apr 22, 2013 01:25 PM

    Hello All,

     

    I'm currently attempting to setup a Customer to use 802.1X authentication with Active Directory (AD) as an Authentication and Authorization Source.

     

    I have successfully integrated ClearPass PM to the AD Domain.

     

    The 802.1X Wireless Service has been setup just fine.

     

    However, when we attempt to connect the WLAN, we have to reauthenticate multiple times before this works. It generates like a "Certificate Error" and then requests if you need to terminate or connect. We have to click on connect multiple times when this error is prompted and then finally works.

     

    When I look at the Access Tracker on CPPM, I notice that it seems the Laptop is sending a Machine Credential instead of a User Credential and we get the error message from CPPM stating "User Not Found". However when it finally works, we then see a User Credential was sent.

     

    Is there something that I need to do in order for User Credentials to be sent instead of Machine Credentials?

     



  • 2.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Apr 22, 2013 01:35 PM

    If this is Windows 7, you would need to make sure:

     

    (1) The client trusts the certificate of the ClearPass server (or uncheck Validate Server Certificate on the Windows 7 client)

    (2) In the Advanced Settings for 802.1x on the Windows 7 client there is an option to submit user or machine credentials.  You can make it user only to avoid the second situation you are describing.

     



  • 3.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Apr 22, 2013 01:45 PM

    As regards to trusting the CPPM Certificate, how do I go about this?

     

    Secondly, if I attempt to set up the Client (PC/Laptop) with using User Credentials only, how do I address a situation where the Customer says that their Users are required to change their Domain Password every 3months? Does that mean that I have to then go back to every Client and change the "Password" under the Advanced Setting? Or is this done automatically?



  • 4.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Apr 22, 2013 01:49 PM

    Let us back things up.  Did you issue a server certificate to CPPM?  If so, was it  from an internal CA or a public CA?  If it has not been done, that probably means you are using termination on the Aruba Controller, which means it is using Aruba's self-signed certificate.

     

    You need to obtain a server certificate either (1) from the customer's internal CA or (2) a public CA that all the customer's clients trust and issue it to CPPM.

     

    If that has been done, you need to do that before you go further.

     



  • 5.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Apr 22, 2013 01:54 PM

    I suspected I would need to do that. 

     

    I'll reach out to the Customer and address the Certificate issue.

     

    Thanks again.



  • 6.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service
    Best Answer

    Posted Apr 24, 2013 06:25 PM

    Okay. So I decided to use run the Customer's Microsoft Active Directory as a Certificate Authority.

     

    This worked for me.



  • 7.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Apr 24, 2013 06:49 PM
    Awesome!


  • 8.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Aug 09, 2013 10:29 AM

    Hi,

     

    I'm looking for an HowTo for integrate Clearpass and Machine Auth with Microsoft Active Directory as a Certificate Authority.

    do you have this ?

     

    Regards

     

    Yann



  • 9.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Aug 09, 2013 10:54 AM

    Hi Yann,

     

    I don't have an Application Note for this integration.

     

    But if you reference the Aruba ClearPass User Guide, it should be a good starting point.

    However, it really depends on what you want to do.

     

    I noticed you said you wanted to use AD as a Certificate Authority. Is this for Onboarding?



  • 10.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Aug 09, 2013 11:00 AM

    Thanks for your reply

    No, i want to authenticated my machine Win7 by certificate.

    My radius server is the CPPM and my Cert Serveur is my Windows 2003.

    I want that my machine can to log on my Wireless Network without the user credential.

     

    regards

     

    Yann



  • 11.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Aug 09, 2013 10:56 AM
    @Yann Dorval wrote:

    Hi,

     

    I'm looking for an HowTo for integrate Clearpass and Machine Auth with Microsoft Active Directory as a Certificate Authority.

    do you have this ?

     

    Regards

     

    Yann

    Please see the guide here:  http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/TechNote-v1-3-Aruba-Wireless-and-ClearPass-6-Integration-Guide/ta-p/70714

     



  • 12.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Aug 09, 2013 11:03 AM

    Hi Joseph,

     

    I have already configure my 802.1x, the user can connect with their Login and Password of AD. And it works good.

     

    Yann



  • 13.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Aug 09, 2013 11:11 AM
    @Yann Dorval wrote:

    Hi Joseph,

     

    I have already configure my 802.1x, the user can connect with their Login and Password of AD. And it works good.

     

    Yann

    The configuration for EAP-TLS on ClearPass is very minimal.

     

    You need to (1) Import the Root CA from your Windows 2003 CA into Administration> Certificates> Trust List

    (2) In your existing 802.1x service you need to add the built in [EAP-TLS] authentication method.

     

    That is all you have to do to support basic EAP-TLS support.

     

    Outside of the ClearPass configuration, you need to (1) issue a client-side certificate from your CA (2) Change your WLAN settings to "Smartcard or Certificate" instead of PEAP on your clients.



  • 14.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Aug 09, 2013 11:46 AM

    Ok i try this next week, thank you for all

     

    Yann



  • 15.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    Posted Sep 04, 2013 12:00 PM

    Unfortunaly, it's doesn't work ...

     

    Need i to Import the Root CA from my Windows 2003 CA into my Aruba Controller ?

     

    Regards

     

    Yann 



  • 16.  RE: ClearPass RADIUS Authentication issue using 802.1X Wireless Service

    EMPLOYEE
    Posted Sep 04, 2013 12:03 PM
    @Yann Dorval wrote:

    Unfortunaly, it's doesn't work ...

     

    Need i to Import the Root CA from my Windows 2003 CA into my Aruba Controller ?

     

    Regards

     

    Yann 

    Please be more specific.  What does not work and what error message are you seeing?