Security

Reply
Occasional Contributor I

Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

I want to setup CAC smarcard login for admin access to Clearpass. Has anyone gotten this working?

Guru Elite

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

Certificate based management authentication is available starting in CP 6.5. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

6.5 is quite new, right? Have any bugs reared their heads yet?


cappalli wrote:
Certificate based management authentication is available starting in CP 6.5. 


Thanks, 
Tim

 

Guru Elite

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

I personally haven't found any issues. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

We're getting approval to upgrade to 6.5. Is there a guide about doing it, or some other resource that might be helpful?

Guru Elite

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

I don't think there is a deployment guide specifically for that quite yet, but there is some information in the 6.5 User Guide. It may be best to reach out to your Aruba or partner team.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

Requires 4 steps:

 

- Create a Web Login page enabled as SAML IdP

  -- Set Vendor Settings to "Single Sign-On - SAML Identity Provider"

  -- Set Client Certificate to "Required - require a client certificate from the user"

  -- Set Authentication to "Certificate Only - no username or password required" 
- Run the Certificate/Two-Factor Authentication for ClearPass Application Login service template to create the appropriate services

  -- Select the Applications for which you want to enable certificate authentication

  -- Select the Authentication Source (though this wont be used if you're only using certificates)

  -- Select the IdP page you created above

  -- Specify the enforcement details (essentially you're mapping certificate attributes to operator privileges). You can tweak these later by editing the appropriate Enforcement Profile

- In Configuration > Identity > Single Sign-On (SSO)

  -- Set the IdP URL to your Web Login page (e.g. https://<CPPM>/guest/idp.php)

  -- Insure SSO is enabled for the applications you want

- Add the root/issuer of your client certificates to Administration > Certificates > Trust List 

 

I would suggest just enabling SSO for Insight as a starting point. You can then test by browsing to https://<CPPM>/insight. This prevents locking yourself out of the Policy Manager or Guest until you have the workflow down. If you've done everything correctly, when you hit the Insight page, you'll be redirected to the Web Login page which will prompt for a client certificate. Select your client cert and submit. The client cert should be accepted as your credential and you should be logged into Insight.

Occasional Contributor I

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

I used rfiler's very excellent instructions. I'm now getting prompted for a certificate and get to select it and enter my PIN. After that, I get redirected to https://<the server name of the device>/networkservices/saml2/sp/acs (I got to it by the IP address originally) and Internet Explorer's "cannot display the webpage" screen.

 

Did my brain block out a chunk of the instructions and I just forgot to do something?

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

if you are still stuck did you try with other browsers? other version of ie?

 

you might try with something else then certificate first and then move there.

Occasional Contributor I

Re: Has anyone implemented CAC (EAP-TLS, Smartcard) for administrative login to ClearPass 6.3.6?

It doesn't work at all in Firefox. It goes straight to "You must provide a valid certificate". That could be a configuration that is forced on us by GP, but it will never change. Chrome can't be installed here, and we are locked in to our IE version (9).

 

I've gotten around the redirect issue by making a hosts entry on my PC. Now after I get prompted for the certificate I get "HTTP Status 403 - RelayState missing/invalid" and "Access to the specified resource has been forbidden". However, if I close that window and go back in, it takes me staight in. It doesn't even prompt for a PIN, which is a problem, but I'm cautiously optimistic.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: