Security

Reply
Contributor II
Posts: 53
Registered: ‎12-15-2016

Clearpass EAP-TLS with ADCS configuration help

[ Edited ]

Hello everyone, 

 

I am testing EAP-TLS authentication using Active Directory as the authentication source. basically what I want to achive is:

 

1. If a device connects using a wired or wireless DOT1x, I need to authenticate/validate only the Certificate (ADCS) and allow access.

 

I dont need to check the username or password only the Cert, I followed the steps in one technical doc called ""ADCS wtih ClearPass onBoard". exact same configuration on the WIndows Active directory side, also imported the Root CA to the trusted list on the ClearPass and the root CA to the Client WIndows PC, I always get these error messages, did I miss a step maybe? SSLClient.JPG

SSL.JPG

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass EAP-TLS with ADCS configuration help

your error means the client does not have the clearpass server certificate in its trust store. The client still needs to trust CPPM.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 53
Registered: ‎12-15-2016

Re: Clearpass EAP-TLS with ADCS configuration help

I imported the RADIUS Server certificate and the HTTPS Server certificate, and I'm always getting the message

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass EAP-TLS with ADCS configuration help

so if you look at your screen shots you will see. "EAP-TLS: fatal alert by client" which means the client doesn't trust the cert being presenting by the server. on the second screen shot it shows fatal alert by server. which means the opposite. your server does not trust the CA that has signed the clients cert.

You have to go through and double check the trust list on both.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Clearpass EAP-TLS with ADCS configuration help

it also might mean that you dont have the full trust chain in the cert you imported into clearpass. You will need to have all. Root CA, intermediate, etc
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 53
Registered: ‎12-15-2016

Re: Clearpass EAP-TLS with ADCS configuration help

Thanks, I will check that and post the results.

Contributor II
Posts: 53
Registered: ‎12-15-2016

Re: Clearpass EAP-TLS with ADCS configuration help

Is there a way to use Only ClearPass to Validate the client Certificate and the Server certificate without using the Authentication source (Active Directory)?, in other words is possible to use EAP-TLS Client-ClearPass and then if the client has a valid certificate send Login Status ACCEPT

Guru Elite
Posts: 8,765
Registered: ‎09-08-2010

Re: Clearpass EAP-TLS with ADCS configuration help

Yes. You would need to create a new EAP-TLS method and disable authorization.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 53
Registered: ‎12-15-2016

Re: Clearpass EAP-TLS with ADCS configuration help

SO the steps will be:

1. Import the Root CA from the Active directory server to the trust list in ClearPass.

2. Create a new EAP-TLS authentication method (Do I need to choose  anithing in the Certificate Comparasion?)TLS.JPG

3. Create the service and choose the new authentication Method

auth.JPG

4. Create a valid client certificate and import it to the client.

 

Am I missing any steps ?

 

 

 

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Clearpass EAP-TLS with ADCS configuration help

In step 3 you need to put an authentication source in. If you just put in the Local User Repository or the Endpoint Repository, it will be fine. They will not be used, but need to be in for ClearPass to accept the configuration.

 

For Onboarding, the recommended method in most cases is to use the ClearPass Onboard built-in CA as a Root CA, and avoid any links with other (Enterprise) PKI. First reason is that it is much easier to setup, quicker with fewer dependencies which make it more reliable (in most cases). Second reason is that you don't risk inadvertently trust for certificates that are issued by ClearPass Onboard by keeping the PKI completely separated. Please only use integration with other PKI if you understand the implications and need specific features delivered by that integration.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: