Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass, VIA, and LInux - 2 factor authentication

This thread has been viewed 2 times

  • 1.  Clearpass, VIA, and LInux - 2 factor authentication

    Posted Mar 11, 2014 04:17 PM

    HI all -

     

    I feel like I'm trying to do something here that is unusual. We have several Linux clients - and we are trying to get certificates created for them so we can do 2 factor authentication for VPN and Wireless access.

     

    So far I'm not having much luck - we are using Ubuntu 12.04, we had been working with an integrator, but he didn't know just what to do for Linux.

     

    When I create a certificate on the Clearpass server, the first issue I run into is that I need to add 2 mac addresses to the new certificate - I can't seem to do that. Once I create the certificate, download it to the linux system and try to connect to either the wireless or the VIA I get errors with either invalid certificate or invalid EAP method.

     

    Let me just say that I really don't know all that much about Linux and am just trying to get it working the best I can - so any assistance would be great.

     

    Clear pass server is running ver 6.2.5.29630, Aruba 3400, v 6.3.1.1

     

    Thank you!

     

    Lirria

     


    #3400


  • 2.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    Posted Mar 11, 2014 06:20 PM

    So after doing more searching, I found this post:

    http://www.airheads.eu/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-802-1x-certificate/td-p/113523

     

    and it appears that my certchain is not installed, even though I download the certificate chain - I'm guessing it's not installed in the OS (gosh probably because I'm not sure how to do that) So I'll go do some more research and see how to install the chain in Ubuntu.

     

    Lirria



  • 3.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    Posted Mar 12, 2014 11:15 AM

    OK -

     

    So we have the controller certificate chain and the user certificate chain imported into the OS  but when I connect to the wireless I see the following:

    2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS Alert read:fatal:unknown CA
    2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
    2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.

     

     

    Trying VIA now -but looks like it's having other issues - I'll fix those and be back.

     

    Lirria

     

     



  • 4.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    Posted Mar 14, 2014 06:22 PM

    Wow - this has been really a cluster to say the least.

     

    We finally got the system to connect to the wireless network, using the user certificate from the server (downloaded only the cert, not the entire chain), then in the wireless configuration, using the downloaded user cert (p12), but not adding a CA in (that just doesn't seem right to me but it's working)

     

    The certificates that we export from the Clearpass server are odd - the user cert, has the user certificate first then the root, then the intermediate server listed - very odd and it's not working correctly. VIA connects for about 3 seconds then disconnects - sometimes I see errors in the Clearpass logs - lately not so much.

     

    Looking in the Linux logs, we see invalid cert errors - so it seems like we are just going in circles.

     

    VIA doesn't look at the system store for the CA's - you have to import them in individually - again - not really ideal and still not working correctly.

     

    So after beating our heads on this all day giving it a rest for the weekend.

     

    I still have hope somebody out there has gone over this ground and has some thoughts.

     

    thanks!

     

    Lirria



  • 5.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    EMPLOYEE
    Posted Mar 14, 2014 06:29 PM
    One thing you might need to look at is the controllers cert. I'm not a via expert but in my lab I had to sign my controllers cert by my Clearpass.


  • 6.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    Posted Mar 14, 2014 06:32 PM

    Troy -

     

    Thank you for the thought - We'll take a look at that next week - our security guy was starting to get to that point I think - the certs are definately odd.

     

    We'll take a look and let you all know.

     

    Thank you

     

    Lirria



  • 7.  RE: Clearpass, VIA, and LInux - 2 factor authentication

    Posted Apr 07, 2014 08:09 AM

    Looks like we are both trying to accomplish the same task.  You appear to be ahead of me in some ways and I ahead of you in others.  I already have Aruba working with Certificates and StrongSwan.  A working site to site configuration that can be modified for remote access.  I would be happy to share the particulars in return for any progress that you are making with Via and Wireless with certificates. 

     

    We use OpenSSL to generate the certificates and keys.  We import a P12 (identity cert and key) and a CA cert into the Controller. 
    For strongSwan it is just a matter of putting them in the correct locations in the file system.  There is no real certificate store like in Windows.  We are using Debian for production and I use SuSE for testing.  

     

    I read the VIA manual and it refers to certificate store.  I wish this was more implicite.  I will examine this a little closer today.