Security

We currently use certificate-based authentication for our client machines that connect to the Aruba Wireless network. The plan I am exploring is to secure it even more and add the ability to role map based on the LDAP group. The client machines run Windows, Mac, and Linux. Is it possible to require authentication using a certificate and LDAP username/password using Clearpass?

The current certificates do not have the username or hostname, but I could re-issue certificates with the username. 

The Mac and Windows machines are joined to the domain. The Linux machines are not. I believe we can do machine + user auth with domain joined machines, but the Linux machines will probably never be joined to the domain. 

Have you been working with your ClearPass Partner? There's a lot of planning and discussion that has to happen.

- Are you managing the Macs via profiles?

- Are you 100% tied to EAP-TLS? PEAPv0/EAP-MSCHAPv2 is recommended with computer + user on shared machines

- What is the security goal?

We don't have a Clearpass partner.

The Macs are managed using Group Policy. There is some software that allows the Windows Admins to do that.

I am not 100% tied to EAP-TLS and I have used EAP-PEAP to

authenticate Windows machines using machine + username before at a different company. There is no machine authentication with Linux in our case right now and that isn't going to change anytime soon.

There is no official security goal. We currently use cert only EAP-TLS, and the idea of cert + username/password would be better and allow us to role map users easier.

You should start with a security goal or policy and that will dictate what you are working towards.  That would enable you to have a concrete set of objectives.  Please see the document here:  https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/295/1/WP_BUILDING%20GLOBAL%20SECURITY%20POLICIES%5B1%5D.pdf for some ideas.

You can do that before or while engaging a ClearPass partner to help you design your authentication scheme around your policy.  You should have a partner, because only that person would know all of your capabilities and would be able to make sure whatever method you chose does not have any gaping holes.  On this forum, we can just give you half-way suggestions without knowing the full scope of your capabilities, your abilities to manage keys, etc and that would not allow you to understand everything you can accomplish.

With all that being said, very, very few people use cert+ username and password because (1) Certs are very hard to issue, re-issue and revoke accross multiple platforms and (2) very few if any supplicants enable cert+ username and password across multiple platforms.  It is possible but costly and you would require a competent consultant to tell you how to pull it all together without creating any security holes..