Security

Reply
New Contributor
Posts: 3
Registered: ‎10-23-2015

Clearpass interrogating client certificate

I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

 

Looking for conceptual advice and specific direction on using this option.

 

TYIA

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: Clearpass interrogating client certificate

- Upload the root CA to ClearPass

- Create a service using the EAP-TLS method

- Configure the supplicant to use machine authentication with EAP-TLS


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎10-23-2015

Re: Clearpass interrogating client certificate


cappalli wrote:

- Upload the root CA to ClearPass

 

So is this just adding my PKI server in Administration - Certificates - Trust List?

 

- Create a service using the EAP-TLS method

 

I have a 1X service that is working. It does have EAP TLS as an Authentication Method:

 

EAP-TLS.JPG

 

 

- Configure the supplicant to use machine authentication with EAP-TLS


 

Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Re: Clearpass interrogating client certificate


Jayke757 wrote:

I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

 

Looking for conceptual advice and specific direction on using this option.

 

TYIA


If you are trying to do username/password authentication for users (EAP-PEAP) and certificate (EAP-TLS) for computers, you cannot do that combination.  That is a limitation of the Windows Supplicant.  Both authentication needs to be EAP-PEAP or EAP-TLS.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 3
Registered: ‎10-23-2015

Re: Clearpass interrogating client certificate

As I have been researching this today. I came across this document:

 

http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9125/1/ClearPass-Win7-PEAP-TLS-v1.0-20140114.pdf

 

and it looked like what you are describing since I could choose CHAP or Certificate on the Win7 side.

 

What is best practice then, if I would like to verify machine and user?

Guru Elite
Posts: 8,048
Registered: ‎09-08-2010

Re: Clearpass interrogating client certificate

I'd recommend doing user and computer using PEAP controlled by GPO. 

Sent from Nine

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: