Security

Reply
Frequent Contributor I
Posts: 60
Registered: ‎08-31-2016

Clearpass 802.1x AD auth certificates

Hello,

 

I'm trying to get 802.1x Authentication using Active Directory setup before deploying to my users. 

 

Intended setup: User attempts to connect to the SSID, Based on their current AD login  if the account is a memberOf the correct group, allow them to connect to the SSID.

 

I'm not very knowledgable on certificates and could use assistance in understanding what I'm missing.

 

I have Clearpass added to the AD domain, and I have an https Cert setup from a trusted CA (GoDaddy), which is also in the trust list, as well as a radius cert from my AD, which is also in the trust list. Both have the full trust chain included.

 

I have a basic policy check, It is setup so that if a user is member of "testgroup", then use the "allow access profile". I ran policy simulation, and authentication is successful. However, I'm testing the connection to the SSID on a windows XP laptop (unsupported, but we still have some). I recieve an alerts "Windows was unable to find a certificate to log you on to the network XXXX"

 

Do I need to issue a cert to the client before it is able to connect to wireless? Or is a cert not needed on the client for the setup i'm intending.

 

If anything is unclear or more information is needed, please ask and I will do my best to clarify.

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Clearpass 802.1x AD auth certificates

What type of EAP authentication you are using TLS or PEAP ?

I assume it is but is that Internal Root CA trusted on the wireless client ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 60
Registered: ‎08-31-2016

Re: Clearpass 802.1x AD auth certificates

EAP TLS is the authentication we would like to go for, as I understand it will provide some extra security over PEAP, without delaying the user from accessing the ssid. 

 

The Internal Root CA (AD) is in the Truasted Root Cert Auths on the client.

 

Thank you,

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Clearpass 802.1x AD auth certificates

So you can implement this using either ADCS/Group policy cert autoenrollment for AD user and Domain computer Or just cert auto enrollment for Domain computer

For either option you will need to configure a cert template in ADCS

https://technet.microsoft.com/en-us/library/dd379529(v=ws.10).aspx



Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 60
Registered: ‎08-31-2016

Re: Clearpass 802.1x AD auth certificates

 

I'll be trying to implement this for ADCS/GP cert autoenrollment for AD User (and domain PC if mandatory to create this rule).

 

For the cet template, essentially, I would just add the group I created for SSID Access Policy to the already active Cert Template I have for domain authentication(Domain Controller authentication), and have that group enabled for autoenroll in its security? 

 

I believe I've gone through each of the steps listed, for GP and the CA, and verified my config. My client still is reciving the same error of being unable to find the cert. I've only been teaching myself about certs over the past 48 hours and how to configure them between CA, servers, and clients, so I could very well be missing something important, still rather new to this.

 

Thank you

 

Frequent Contributor I
Posts: 60
Registered: ‎08-31-2016

Re: Clearpass 802.1x AD auth certificates

[ Edited ]

I had a bit of a mismatch on PEAP vs TLS settings. I've opted to put everything onto TLS.

Now I'm able to connect, but only when Verify Server Certificate is disabled. I assume then that I will need to import the clearpass RADIUS cert into AD to have this verification work successfully?

 

Error message (edited domain and bind account):

 

Active Directory - name.domain.com:636: account@domain.com bind failed - Can't contact LDAP server
EAP-TLS: Authentication failure, unknown user

 

Edit* https://support.microsoft.com/en-ca/kb/321051 

As per the above support article, IIahevn't seen it mentioned anywhere previously while setting up clearpass, but seems to be related. Will I need to create a LDAPS certificate on my DC server (same as LDAP), and import that to Clearpass Trust List to allow TLS to occur with Verify Server Certificate? 

Guru Elite
Posts: 20,366
Registered: ‎03-29-2007

Re: Clearpass 802.1x AD auth certificates

Have you tried just using plan 389, LDAP, instead of 636?  You would typically use 636 if the network between your ClearPass server and your LDAP server is not trusted.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: Clearpass 802.1x AD auth certificates

Yes, the LDAP server certificate should be imported into the trust list.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 60
Registered: ‎08-31-2016

Re: Clearpass 802.1x AD auth certificates

@cjoseph I'm able to successfully authenticate if I don't have the "Verify Server Certificate" option enabled, so before I continue troubleshooting and changing ports to try to get this setting to work, I'd like to know what this option is actually doing for both PEAP and TLS.

 

Is it an important setting to have "verify server certificate" enabled for either authentication type, or something that can be left disabled?

 

Also, I've noticed when I'm authenticating against TLS my authentication fails on some accounts. The failing and successful accounts are located in the same location in the DC, and have same roles, The only different is the display name format (not account name). Is this something I need to address in the service I created for 802.1x under authentication "strip username rules"? I would have thought clearpass would just use the account name for all scenerios, not the display name.

Guru Elite
Posts: 20,366
Registered: ‎03-29-2007

Re: Clearpass 802.1x AD auth certificates

Screenshot of where you are checking/unchecking Validate Server Certificate, please?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: