Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass TLS Machine/Client Auth

This thread has been viewed 2 times

  • 1.  Clearpass TLS Machine/Client Auth

    Posted Sep 03, 2015 10:01 AM

    Current Setup:

    1) I do not have AD as authentication source, only local DB.

    2) CA, Machine and Client certificates have been generated by the CA and installed in the client.

    3) AD credential have been exported into clearpass local DB with department attribute.

    4) The default local DB only grab the role_name and enable/disable, therefore I have created another SQL query (copied from somewhere in this forum) to grab the department attribute.

     

    Questions:

    1) Am I right to untick authorization in TLS for Machine Auth since I do not have access to the AD and I have nothing to check against? 

    2) I can't get the department attribute for User Auth is it because that I have untick authorization in TLS?

    3) I need to tick authorization in TLS for User_Auth so that it will check against the local DB and get the attribute for role mapping?

     

    Generally what I want to achieve is to have both machine and user authentication as well as to grab the department attribute from the local DB. How can it be done? 



  • 2.  RE: Clearpass TLS Machine/Client Auth

    EMPLOYEE
    Posted Sep 03, 2015 10:04 AM
    Is ClearPass the CA or is it external?


    Thanks,
    Tim


  • 3.  RE: Clearpass TLS Machine/Client Auth

    Posted Sep 03, 2015 10:15 AM

    It's a external CA.

     



  • 4.  RE: Clearpass TLS Machine/Client Auth

    EMPLOYEE
    Posted Sep 03, 2015 10:19 AM
    1) Yes
    2) Is your custom auth source configured as an authorization source in the service?
    3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query.

    Is the department name also in the cert as a custom key attribute?

    Thanks,
    Tim


  • 5.  RE: Clearpass TLS Machine/Client Auth

    Posted Sep 03, 2015 10:54 AM

    2) Is your custom auth source configured as an authorization source in the service? - Don't get what you mean but cusom authentication/authorization source but in the service I have selected local DB for both authentication and authorization.


    3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query. - So if I selected TLS authorization, what it actually does? 

    Is the department name also in the cert as a custom key attribute? - Yes

     

    Back to my question: How can I grab the local DB attribute with my current setup? I know I will definitely need the SQL query as well as select the local DB inside authorization service. What else did I miss out? Anything related to compare CN? Is the local DB username = CN? If I enable compare CN in the TLS authorization, will it check against the local DB? 

     

    Sorry I am getting confused here. Thanks for the help.