Security

Hello everyone, 

 

I am testing EAP-TLS authentication using Active Directory as the authentication source. basically what I want to achive is:

 

1. If a device connects using a wired or wireless DOT1x, I need to authenticate/validate only the Certificate (ADCS) and allow access.

 

I dont need to check the username or password only the Cert, I followed the steps in one technical doc called ""ADCS wtih ClearPass onBoard". exact same configuration on the WIndows Active directory side, also imported the Root CA to the trusted list on the ClearPass and the root CA to the Client WIndows PC, I always get these error messages, did I miss a step maybe? 

 

your error means the client does not have the clearpass server certificate in its trust store. The client still needs to trust CPPM.

I imported the RADIUS Server certificate and the HTTPS Server certificate, and I'm always getting the message

so if you look at your screen shots you will see. "EAP-TLS: fatal alert by client" which means the client doesn't trust the cert being presenting by the server. on the second screen shot it shows fatal alert by server. which means the opposite. your server does not trust the CA that has signed the clients cert.

You have to go through and double check the trust list on both.

it also might mean that you dont have the full trust chain in the cert you imported into clearpass. You will need to have all. Root CA, intermediate, etc

Thanks, I will check that and post the results.

Is there a way to use Only ClearPass to Validate the client Certificate and the Server certificate without using the Authentication source (Active Directory)?, in other words is possible to use EAP-TLS Client-ClearPass and then if the client has a valid certificate send Login Status ACCEPT

Yes. You would need to create a new EAP-TLS method and disable authorization.

SO the steps will be:

1. Import the Root CA from the Active directory server to the trust list in ClearPass.

2. Create a new EAP-TLS authentication method (Do I need to choose  anithing in the Certificate Comparasion?)

3. Create the service and choose the new authentication Method

4. Create a valid client certificate and import it to the client.

 

Am I missing any steps ?

 

 

 

In step 3 you need to put an authentication source in. If you just put in the Local User Repository or the Endpoint Repository, it will be fine. They will not be used, but need to be in for ClearPass to accept the configuration.

 

For Onboarding, the recommended method in most cases is to use the ClearPass Onboard built-in CA as a Root CA, and avoid any links with other (Enterprise) PKI. First reason is that it is much easier to setup, quicker with fewer dependencies which make it more reliable (in most cases). Second reason is that you don't risk inadvertently trust for certificates that are issued by ClearPass Onboard by keeping the PKI completely separated. Please only use integration with other PKI if you understand the implications and need specific features delivered by that integration.