Security

Reply
Contributor I

EAP TLS with ADCS for machine auth

I've searched and searched and can't quite find a thread on here with the same symptoms. What I'd like to acheive is doing machine authentication with our Macs using a certificate assigned from our AD CA. I've got what I think is a very basic service configured, but the client keeps failing with "user not found". According to Access Tracker, it's not looking at AD as the authentication source even though it's specified. 

 

-Mac laptop (10.13.4) joined to AD

-It's getting the AD, ClearPass, and trusted CA certs via profile manager (I'm 99.9% sure this is all working as it should)

-AD CA cert installed in ClearPass trust list

-EAP TLS with authorization checkbox unchecked

-AD authentication source with default settings, working fine for EAP PEAP on production SSID

 

What am I missing?

 

Screen Shot 2018-04-26 at 9.53.47 AM.pngScreen Shot 2018-04-26 at 9.53.59 AM.pngService config - 2012 AD as auth sourceScreen Shot 2018-04-26 at 9.54.10 AM.pngAuth source "none"Screen Shot 2018-04-26 at 9.54.21 AM.pngUser not found

Guru Elite

Re: EAP TLS with ADCS for machine auth

Remove the authentication source from your service.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP TLS with ADCS for machine auth

Ok that works, but I had to change my role mapping rules. I had tried that, but my role mappings were based on AD attributes so it was still failing, just with a slightly different error message.

Guru Elite

Re: EAP TLS with ADCS for machine auth

Just to be clear, this service is only handling machine authentications, correct?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP TLS with ADCS for machine auth

Yes it is, but this is only a test service. The plan would be to eventually add it to our production service which is now only doing EAP PEAP for user auth. I'm pretty sure I saw a config in an old thread for how to do that.

Guru Elite

Re: EAP TLS with ADCS for machine auth

It would be better to keep machine auth in its own service since authorization is not enabled.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: EAP TLS with ADCS for machine auth

Makes sense. Is there a way I can do that if it's using the same SSID?

Guru Elite

Re: EAP TLS with ADCS for machine auth

Yes, services are not tied to SSIDs.

Use service rules that check for:
Authentication:Full-Username BEGINS_WITH host/
Authentication:Full-Username ENDS_WITH .yourdomain.xyz

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: