Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass interrogating client certificate

This thread has been viewed 0 times

  • 1.  Clearpass interrogating client certificate

    Posted Feb 05, 2016 11:49 AM

    I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

     

    Looking for conceptual advice and specific direction on using this option.

     

    TYIA



  • 2.  RE: Clearpass interrogating client certificate

    EMPLOYEE
    Posted Feb 05, 2016 11:52 AM

    - Upload the root CA to ClearPass

    - Create a service using the EAP-TLS method

    - Configure the supplicant to use machine authentication with EAP-TLS



  • 3.  RE: Clearpass interrogating client certificate

    Posted Feb 05, 2016 12:03 PM
    @cappalli wrote:

    - Upload the root CA to ClearPass

     

    So is this just adding my PKI server in Administration - Certificates - Trust List?

     

    - Create a service using the EAP-TLS method

     

    I have a 1X service that is working. It does have EAP TLS as an Authentication Method:

     

    EAP-TLS.JPG

     

     

    - Configure the supplicant to use machine authentication with EAP-TLS

     



  • 4.  RE: Clearpass interrogating client certificate

    EMPLOYEE
    Posted Feb 05, 2016 01:55 PM
    @Jayke757 wrote:

    I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

     

    Looking for conceptual advice and specific direction on using this option.

     

    TYIA

    If you are trying to do username/password authentication for users (EAP-PEAP) and certificate (EAP-TLS) for computers, you cannot do that combination.  That is a limitation of the Windows Supplicant.  Both authentication needs to be EAP-PEAP or EAP-TLS.



  • 5.  RE: Clearpass interrogating client certificate

    Posted Feb 05, 2016 02:17 PM

    As I have been researching this today. I came across this document:

     

    http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9125/1/ClearPass-Win7-PEAP-TLS-v1.0-20140114.pdf

     

    and it looked like what you are describing since I could choose CHAP or Certificate on the Win7 side.

     

    What is best practice then, if I would like to verify machine and user?



  • 6.  RE: Clearpass interrogating client certificate

    EMPLOYEE
    Posted Feb 05, 2016 02:24 PM
    I'd recommend doing user and computer using PEAP controlled by GPO. 

    Sent from Nine