Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

EAP TLS Authentication - Understanding Method Details

This thread has been viewed 12 times

  • 1.  EAP TLS Authentication - Understanding Method Details

    Posted May 08, 2013 11:34 AM

    I'd like to have a better understanding of the Method Details for EAP-TLS.  Specifically, these options:

     

    • Authorization required

      I'm not sure how this differs from checking the authorization box in the Service that I create or if checking this option under EAP-TLS is required for authorization attributes to be pulled auotmatically?

    • Certificate Comparison

      What do I gain by performing a certificate comparison?  All of our user certs are issued automatically by AD.  I want to be sure that as long as the cert hasn't expired or been revoked, and the user's account hasn't been disabled that they'll be authenticated.

    • Verify Certificate using OCSP

      This is for verifying that a certificate hasn't been revoked using OCSP only, right?  Our certs only include a CRL URL so will the validity of the certs not be verified using a CRL?


  • 2.  RE: EAP TLS Authentication - Understanding Method Details

    Posted May 25, 2013 12:59 PM

    i asked the same before and someone else did the same in my thread:

    https://community.arubanetworks.com/t5/ClearPass-formerly-known-as/ClearPass-EAP-TLS-configuration/m-p/39758/

     

    no useful answers unfortunately.



  • 3.  RE: EAP TLS Authentication - Understanding Method Details
    Best Answer

    Posted Mar 11, 2015 05:38 AM

    Hey 

     

    • Authorization required
      You need to untick this option, when you don't want to use an additional Authentication source. The Authentication Sources then wouldn't be used.
      See: Cert only authentication (EAP-TLS)
    •  Certificate Comparison
      If you choose i.e. Common Name (CN) then the certificate common name would be check against the provided common name of the device.
    • Verify Certificate using OCSP
      At this point I don't know to handle CRL, but if you are using OSCP, why not to use this as a validation mechanism?

    Hopes this answers are helping someone.

     

    Best regards,

     

    Marcel 

     



  • 4.  RE: EAP TLS Authentication - Understanding Method Details

    Posted Apr 26, 2015 11:15 AM

    thank you for sharing that information Marcel. that is what airheads is about.

     

    as for ocsp / crl i don't believe many systems will check crl urls themselves, that is something the client can do if it wants to. crls are often local anyway, so the clearpass might not be even able to reach it. ocsp is the way to go.

     

     



  • 5.  RE: EAP TLS Authentication - Understanding Method Details

    EMPLOYEE
    Posted Apr 26, 2015 12:11 PM
    Boneyard,

    The client does not do any checking unless it is in a browser SSL page. The server checks all the parameters above.


  • 6.  RE: EAP TLS Authentication - Understanding Method Details

    Posted Apr 26, 2015 01:30 PM

    of course, client certificates, so it is the other way around, my bad, thanks for correcting me cjoseph.