Security

Reply
Occasional Contributor II

Clearpass Revoked or Expired Certificate Role

Hi All

 

I'm trying to work around the situation where a Clearpass onboarded certificate has become revoked or has expired.  Is there anyway of creating a role which forces onboarded devices with a revoked or expired certificate to a reprovision page?

 

I've read the following which describes sending emails to the user for the x number of weeks leading up to certificate expiry which is something we will implement however the customer has some departmental devices with a generic accounts so the end user does not get the notification email.  

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/td-p/93548/highlight/true

 

Also some devices hide in drawers for weeks on end and the certificate gets revoked through inactivity.  We're reluctant to increase the inactivity period as this will have an impact on the Onboard licensing count.

 

I had created a test enforcement policy whereby if the outer authentication method was TLS and the auth status failed to return a pre-provisioning profile.  I can see the Radius Response in the Access Tracker returning this role though I suspect that as the Login Status is REJECT this is preventing this from being sent to the controller.

 

Is the only alternative, when dealing with Apple smart devices, to manually delete the profiles and  reprovision?

 

Many thanks

 

Mark

Aruba

Re: Clearpass Revoked or Expired Certificate Role

When a certificate is revoked or expired, it results in an access reject message.   Even if we were able to write policy based on the error code to return a role to the controller, we can't change the access reject message, so the role application would not apply.

 

As an alternative you could try and re-enroll devices at some interval prior to expiration to try and catch them before they expire.   See

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/td-p/93548

 for some thoughts on this.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite

Re: Clearpass Revoked or Expired Certificate Role

Just to add: This is a limitation of 802.1X. Authentication can either pass or fail. If authentication fails, that is the end of the road.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Clearpass Revoked or Expired Certificate Role

 

You could apply a rule using the Time calculator as an Authorization source

Screen Shot 2015-11-19 at 11.32.57 AM.png

You could send an Enforcement profile with a user-role that will redirect the user to the portal to re-onboard the device

Screen Shot 2015-11-19 at 11.28.13 AM.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Clearpass Revoked or Expired Certificate Role

Hi All

 

Many thanks for replying so quickly, the speed of the response on here is always impressive.

 

Will the time rule work when the cert has expired or has been revoked or will the Reject take precedence?  I've not been able to get this to work.

 

Thanks

 

Mark

Aruba

Re: Clearpass Revoked or Expired Certificate Role

No, once it is expired or revoked it will result in a failed authentication.  The time source solution and the solutions in the link above are to pre-empt the expiration.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: Clearpass Revoked or Expired Certificate Role

Many thanks for confirming Chris.  Much appreciated.

Occasional Contributor II

Re: Clearpass Revoked or Expired Certificate Role

Hi All

Apologies for revisting this, but is there anything else I need to add  to the above enforcement policy to get it to work?  We're using 6.5.2 so am I rright in assuming Time Source has replaced Time Calculator?  Do I need to modify any of the Time Source attributres?

 

I've tried both Cert Epiry as a Role and an Enforcement Policy but CPPM ignores it despite have Certificate:Not-Valid-After set

 

Not-Valid-After.jpg

I've configured the following enforcement:

Enforcement.JPG

Below's the role Tips Role:

role.JPG

Both appear to get ignored. I can't see what I'm doing wrong.

 

Any help would be greatly appreciated. 

 

Thanks

 

Mark

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: