Security

Reply
Contributor II

Clearpass AD caching and EAP-TLS question

When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)

I know group memberships and Authorization data is cached, but unsure about passwords.

 

Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).

It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?

Guru Elite

Re: Clearpass AD caching and EAP-TLS question

Passwords are not cached.  Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Contributor II

Re: Clearpass AD caching and EAP-TLS question

And I am correct in saying that the password is never exposed during EAP-TLS authentication?

Even on domain windows computers the password is not part of the auth exchange.

Guru Elite

Re: Clearpass AD caching and EAP-TLS question

There is no password in an EAP-TLS exchange.  Correct.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: