Security

We have a good working SSID that authenticates out Windows 7 and 8 laptops with machine authentication. We have 3600 controllers. We deploy the root certificaten from the Windows ca and the wireless profile through a gpo. Windows 7 and 8 laptops are automaticly given a certificate. We use clearpass for the authentication and a internal Windows ca. This is configured during the installation.

Now our organization demands that Mac Osx and Linux laptops users can use the same Ssid. I did try to let them connect after manually installing the ca root certificate but without success, I receive authentication errors in clearpass. What steps do I need to take to configure this? Do I need to select other authentication methods in the Ssid profile on the controller, do I need to change something in the ca or do I need to change something in clearpass?

Is there some document that describes the seps I need to set this up?

Thanks,
Roland
#3600

Can you please post a screenshot of the Alerts tab from a failed authentication request?

Thanks

 

This is a Linux laptop that is tried in this case. It seems that the username is used for authentication and not the machine, how does the profile in Linux needs to be configured, we did try several options and also selected the certificate, but without success. 

If you're doing EAP-TLS, you need to manually issue the device a client certificate from ADCS and import that to the client (on top of importing the CA cert for the RADIUS server cert)

That make sense, thanks, i'm going to test this later today. So i have the following options if i'm correct:

 

1. Use current authentication method

Issue a client certificate, install and connect with EAP-TLS to the current SSID.

 

2. Allow username and password access

Add EAP PEAP and EAP MSCHAPv2 to the service profile in CCPM (and maybe on the SSID/VAP profile on the controller).
Create/modify the role mapping and/or enforcement policy to allow access based on user group memebership in AD.

3. Start with CCPM Onboarding

This is new to me, but this is to allow different kind of OS/devices to auto enroll and connect to our network, is this correct?

 

Are these 3 options correct? Is option 2 also going to work?

 

What is the way to go? Currently there are just a hand full of laptops other that Windows based, but i expect this to grow, so i think option 1 can work for now (i'm going to test this later), but for the best managed way, what should we choose?

 

Thanks,

Roland

 

Onboard is the best way to go as it automates the process for Windows, Mac, IOS and Android. Currently you would still have a manual process with Linux but it's documented on this forum.

Options 1 and 2 will work, but require lots of manual steps.

Witth manual steps you mean manual from laptop/user perspective?

 

Is it correct that i say that option 2 is relative straight forward? When using an AD user for authentication is something that is relative easy to configure in Clearpass/ArubaController and also easy to explain to our employees. They just need to connect to our wireless network and use their username and password from AD.

 

Is this correct?

 

Thanks,

Roland

Yes, and yes. Username/password (PEAP or TTLS) authentication is currently the most popular 802.1X authentication method due to simplicity for end users and no certificate management and enrollment system.

Certificate authentication (TLS) is the most secure and many organizations are moving this way.

Also, some flavors of Linux will be supported in a future release.