Security

Reply
Frequent Contributor II
Posts: 144
Registered: ‎01-21-2015

Clearpass as CA + AD as authentication source

Hi all,

I need to do the following,

1. AD as authentication source.

2. Clearpass as Certificate authority.

 

So user has to have one valid AD account and a root CA from clearpass, 

Is it possible ?

rana
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Clearpass as CA AD as authentication source

What is the purpose of the CA? It is much easier to integrate the CA with AD..


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 144
Registered: ‎01-21-2015

Re: Clearpass as CA AD as authentication source

I also suggested the same to customer but for some unknown reason their management want this.

So they want to do user authentication from AD but want to use Clearpass as CA server.

 

rana
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Clearpass as CA AD as authentication source

Again,

 

Please find out what the purpose of the CA would be in their environment.  ClearPass as a CA would be mainly to issue EAP-TLS certificates to clients for onboard.  It can issue EAP-TLS certificates outside of onboard, but it would have to be manual.  If your customer wanted EAP-TLS certificates, it is much easier for the customer's AD to turn on autoenrollement in group policy to distribute those certificates automatically.

 

Again, what is the purpose of the CA in your customer's environment?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 144
Registered: ‎01-21-2015

Re: Clearpass as CA AD as authentication source

Colin,

Thanks for you ruick response,

When it comes to certificate I'm novice.

Let me tell you what customer asked me.

1. machine authentication - agsinst ad.

2. user authentiaction - against ad.

For each time there will be one cetificate authentication also and that is against Clearpass.

Thet are saying that they will push the CPPM root ca to each machine so that user can perform the cert authentication.

perpose in the sense they want to secure auth method for their previledge employee.

They already have CA but for wireless some unknow reason they dont wantto use that.

 

rana
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Clearpass as CA AD as authentication source

If they want to do certificate-based authentication, you will have to push at least 3 certificates to each machine.

 

1 Root CA certificate

1 Machine certificate

At least 1 user certificate


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 144
Registered: ‎01-21-2015

Re: Clearpass as CA AD as authentication source

So if they push cert A to user A in mac A.

user B cannot complete autheitcation on that machine until or unless user B manually isntalling the cert B to that machine .

right ??

rana
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Clearpass as CA AD as authentication source

PEAP (username and password authentication) at minimum only requires that the client trusts the CA of the Radius Server.  If you use AD to configure your CA and to issue the server cert to your Radius Server, this happens automatically with all clients that have joined the domain.

 

EAP-TLS (machine or user certificate authentication) at minimum requires the client trust the CA of the radius server, and also that a user or machine certificate be issued.  If you enable autoenrollment in AD, both of these things happen automatically with domain clients.

 

The CA in ClearPass is mainly useful to distribute EAP-TLS certificates to clients using onboard, which is requires a client to access a webpage to distribute a certificate.  It is targeted at non-domain devices, that do not automatically trust the CA, Server cert and would not be able to easily get a client certificate.

 

If your client falls into scenario #1 or #2, it is best they use the domain for the CA, because it is easier to setup and maintain.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 144
Registered: ‎01-21-2015

Re: Clearpass as CA AD as authentication source

Hi Colin,

Thanks for your help.

Today I was trying to implemented EAP-TLS for client and getting following error:

EAP-TLS.jpg

Is it required to install root CA in clearpass also.

 

rana
Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Clearpass as CA AD as authentication source

Yes.  You need to install the CA certificate in Administration> Certificates> Trust List.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: