Security

Reply
Occasional Contributor II

EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Hi,

i want to authenticate Thinclients and IP Phones, which are getting certificates automaticly via SCEP with EAP-TLS.  These devices have no Active Directory Object, and i only want to check the certificate, and get the certificate templatename attribute of the certificate. I want to use the certificatetemplate name for setting explicit vlan and acl for this devices. For example, if the clearpass gets a authenticationrequest with a certificate, which has "smartphone" in the templatname, it will get the smartphone - vlan. If it gets a request with "thinclient" it will get the thinclient vlan.

I`ve attached a screenshot of the clearpass rule editor.

My problem is, that i couldn`t find the certificate template name as attribute in the clearpass rule set.

Clearpass.png

Thanks a lot

Guru Elite

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Unfortunately custom EKUs/OIDs are not currently available in policy.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Thanks for your fast answer..

So what could be a solution for this problem?

I have to roll out certificates automaticly via scep for different devices (MDM, IP Phones, Thinclient, Printers) with different rules...

What is best practice for example authenticating thinclients with certificate?

I have to check if there is a possiblity to set a attribute like "thinclient" in the SAN ? Am i right, it is possible to filter SAN for attributes? It is the same as it is in the onboarding process?

 

Guru Elite

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Who is the CA?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

The CA is a windows - CA but with NDES / SCEP.

The managementsoftware of the thinclients sends a certificate request to the windows - ca and installs the certificate on the thinclient.

There is no Active-Directoryobjekt for the thin client..

Could it be a possibility to write of course "thinclient" in the OU field of the certificate and match this?

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Why not use ClearPass profiling to identify if it's an IP Phone, Printer, Thin Client, etc. and validate the certificate information to ensure it's a Corporate-owned asset?

 

DHCP and IF-MAP can be setup fairly easily. SNMP/WMI/SSH profiling takes a little more work.

 

If device type = Unknown or NOT EXISTS, drop it in to a limited access VLAN which allows DHCP and that should be enough to fingerprint the device and then when it reauthenticates, it is known as it's correct type.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Yes, that would probably be the best approach.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Thank you for the tipp with profiling..

The customer wants to do the main count of clients with EAP-TLS and has the possibilitys to send automaticly certificates to the device.

But i think i also could use profiling for devices which are not getting certificats..

Where could i find a config / best practiceguide for profiling?

Thanks

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

Occasional Contributor II

Re: EAP-TLS for Thinclients and IP Phones with Certificate Template as condition

@Tim

What do you think, is it better to use the SAN, or OU Attribute of the certificate? SAN would be the same as the onboardingconfiguration..

I have to check the managementsoftware of the thinclients, which attributes are editable.. maybe it`s not possible to use the ou for all kind of devices (thinclients, printer, MDM)

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: