Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎09-29-2016

Clearpass & Wireless - Cert + User Auth

We currently use certificate-based authentication for our client machines that connect to the Aruba Wireless network. The plan I am exploring is to secure it even more and add the ability to role map based on the LDAP group. The client machines run Windows, Mac, and Linux. Is it possible to require authentication using a certificate and LDAP username/password using Clearpass?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Clearpass

Is the username of the user in the certificate or is it tied to the hostname?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎09-29-2016

Re: Clearpass

The current certificates do not have the username or hostname, but I could re-issue certificates with the username. 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Clearpass

It really depends on your security requirements.

Are all of these machines joined to a domain?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎09-29-2016

Re: Clearpass

The Mac and Windows machines are joined to the domain. The Linux machines are not. I believe we can do machine + user auth with domain joined machines, but the Linux machines will probably never be joined to the domain. 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Clearpass

Have you been working with your ClearPass Partner? There's a lot of planning and discussion that has to happen.

 

- Are you managing the Macs via profiles?

- Are you 100% tied to EAP-TLS? PEAPv0/EAP-MSCHAPv2 is recommended with computer + user on shared machines

- What is the security goal?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 13
Registered: ‎09-29-2016

Re: Clearpass

We don't have a Clearpass partner.

 

The Macs are managed using Group Policy. There is some software that allows the Windows Admins to do that.

 

I am not 100% tied to EAP-TLS and I have used EAP-PEAP to

authenticate Windows machines using machine + username before at a different company. There is no machine authentication with Linux in our case right now and that isn't going to change anytime soon.

 

There is no official security goal. We currently use cert only EAP-TLS, and the idea of cert + username/password would be better and allow us to role map users easier.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: Clearpass

You should start with a security goal or policy and that will dictate what you are working towards.  That would enable you to have a concrete set of objectives.  Please see the document here:  https://community.arubanetworks.com/aruba/attachments/aruba/ForoenEspanol/295/1/WP_BUILDING%20GLOBAL%20SECURITY%20POLICIES%5B1%5D.pdf for some ideas.

 

You can do that before or while engaging a ClearPass partner to help you design your authentication scheme around your policy.  You should have a partner, because only that person would know all of your capabilities and would be able to make sure whatever method you chose does not have any gaping holes.  On this forum, we can just give you half-way suggestions without knowing the full scope of your capabilities, your abilities to manage keys, etc and that would not allow you to understand everything you can accomplish.

 

With all that being said, very, very few people use cert+ username and password because (1) Certs are very hard to issue, re-issue and revoke accross multiple platforms and (2) very few if any supplicants enable cert+ username and password across multiple platforms.  It is possible but costly and you would require a competent consultant to tell you how to pull it all together without creating any security holes..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: