Security

Reply
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Clearpass, VIA, and LInux - 2 factor authentication

HI all -

 

I feel like I'm trying to do something here that is unusual. We have several Linux clients - and we are trying to get certificates created for them so we can do 2 factor authentication for VPN and Wireless access.

 

So far I'm not having much luck - we are using Ubuntu 12.04, we had been working with an integrator, but he didn't know just what to do for Linux.

 

When I create a certificate on the Clearpass server, the first issue I run into is that I need to add 2 mac addresses to the new certificate - I can't seem to do that. Once I create the certificate, download it to the linux system and try to connect to either the wireless or the VIA I get errors with either invalid certificate or invalid EAP method.

 

Let me just say that I really don't know all that much about Linux and am just trying to get it working the best I can - so any assistance would be great.

 

Clear pass server is running ver 6.2.5.29630, Aruba 3400, v 6.3.1.1

 

Thank you!

 

Lirria

 

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Clearpass, VIA, and LInux - 2 factor authentication

So after doing more searching, I found this post:

http://www.airheads.eu/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-802-1x-certificate/td-p/113523

 

and it appears that my certchain is not installed, even though I download the certificate chain - I'm guessing it's not installed in the OS (gosh probably because I'm not sure how to do that) So I'll go do some more research and see how to install the chain in Ubuntu.

 

Lirria

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Clearpass, VIA, and LInux - 2 factor authentication

OK -

 

So we have the controller certificate chain and the user certificate chain imported into the OS  but when I connect to the wireless I see the following:

2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS Alert read:fatal:unknown CA
2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2014-03-12 09:10:04,366[Th 9 Req 5156 SessId R000001b9-01-532078c2] INFO RadiusServer.Radius - rlm_policy: Starting Policy Evaluation.

 

 

Trying VIA now -but looks like it's having other issues - I'll fix those and be back.

 

Lirria

 

 

Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Clearpass, VIA, and LInux - 2 factor authentication

Wow - this has been really a cluster to say the least.

 

We finally got the system to connect to the wireless network, using the user certificate from the server (downloaded only the cert, not the entire chain), then in the wireless configuration, using the downloaded user cert (p12), but not adding a CA in (that just doesn't seem right to me but it's working)

 

The certificates that we export from the Clearpass server are odd - the user cert, has the user certificate first then the root, then the intermediate server listed - very odd and it's not working correctly. VIA connects for about 3 seconds then disconnects - sometimes I see errors in the Clearpass logs - lately not so much.

 

Looking in the Linux logs, we see invalid cert errors - so it seems like we are just going in circles.

 

VIA doesn't look at the system store for the CA's - you have to import them in individually - again - not really ideal and still not working correctly.

 

So after beating our heads on this all day giving it a rest for the weekend.

 

I still have hope somebody out there has gone over this ground and has some thoughts.

 

thanks!

 

Lirria

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass, VIA, and LInux - 2 factor authentication

One thing you might need to look at is the controllers cert. I'm not a via expert but in my lab I had to sign my controllers cert by my Clearpass.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Clearpass, VIA, and LInux - 2 factor authentication

Troy -

 

Thank you for the thought - We'll take a look at that next week - our security guy was starting to get to that point I think - the certs are definately odd.

 

We'll take a look and let you all know.

 

Thank you

 

Lirria

Occasional Contributor II
Posts: 11
Registered: ‎10-31-2012

Re: Clearpass, VIA, and LInux - 2 factor authentication

Looks like we are both trying to accomplish the same task.  You appear to be ahead of me in some ways and I ahead of you in others.  I already have Aruba working with Certificates and StrongSwan.  A working site to site configuration that can be modified for remote access.  I would be happy to share the particulars in return for any progress that you are making with Via and Wireless with certificates. 

 

We use OpenSSL to generate the certificates and keys.  We import a P12 (identity cert and key) and a CA cert into the Controller. 
For strongSwan it is just a matter of putting them in the correct locations in the file system.  There is no real certificate store like in Windows.  We are using Debian for production and I use SuSE for testing.  

 

I read the VIA manual and it refers to certificate store.  I wish this was more implicite.  I will examine this a little closer today. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: