Security

Reply
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Clearpass TLS Machine/Client Auth

Current Setup:

1) I do not have AD as authentication source, only local DB.

2) CA, Machine and Client certificates have been generated by the CA and installed in the client.

3) AD credential have been exported into clearpass local DB with department attribute.

4) The default local DB only grab the role_name and enable/disable, therefore I have created another SQL query (copied from somewhere in this forum) to grab the department attribute.

 

Questions:

1) Am I right to untick authorization in TLS for Machine Auth since I do not have access to the AD and I have nothing to check against? 

2) I can't get the department attribute for User Auth is it because that I have untick authorization in TLS?

3) I need to tick authorization in TLS for User_Auth so that it will check against the local DB and get the attribute for role mapping?

 

Generally what I want to achieve is to have both machine and user authentication as well as to grab the department attribute from the local DB. How can it be done? 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Clearpass TLS Machine/Client Auth

Is ClearPass the CA or is it external?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Clearpass TLS Machine/Client Auth

It's a external CA.

 

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Clearpass TLS Machine/Client Auth

1) Yes
2) Is your custom auth source configured as an authorization source in the service?
3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query.

Is the department name also in the cert as a custom key attribute?

Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Clearpass TLS Machine/Client Auth

2) Is your custom auth source configured as an authorization source in the service? - Don't get what you mean but cusom authentication/authorization source but in the service I have selected local DB for both authentication and authorization.


3) The TLS authorization is part of the authentication process and is different than overall policy authorization. If you have the custom source as an authorization source, you likely have a bad SQL query. - So if I selected TLS authorization, what it actually does? 

Is the department name also in the cert as a custom key attribute? - Yes

 

Back to my question: How can I grab the local DB attribute with my current setup? I know I will definitely need the SQL query as well as select the local DB inside authorization service. What else did I miss out? Anything related to compare CN? Is the local DB username = CN? If I enable compare CN in the TLS authorization, will it check against the local DB? 

 

Sorry I am getting confused here. Thanks for the help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: