Security

Reply
Contributor II
Posts: 53
Registered: ‎10-01-2013

Clearpass AD caching and EAP-TLS question

When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)

I know group memberships and Authorization data is cached, but unsure about passwords.

 

Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).

It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?

Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: Clearpass AD caching and EAP-TLS question

Passwords are not cached.  Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: Clearpass AD caching and EAP-TLS question

And I am correct in saying that the password is never exposed during EAP-TLS authentication?

Even on domain windows computers the password is not part of the auth exchange.

Guru Elite
Posts: 21,515
Registered: ‎03-29-2007

Re: Clearpass AD caching and EAP-TLS question

There is no password in an EAP-TLS exchange.  Correct.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: