Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How do I configure EAP-TLS (802.1x with Cert) on ClearPass

This thread has been viewed 77 times

  • 1.  How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 21, 2012 12:47 PM

    I'm trying to configure ClearPass PM to authenticate Cisco IP Phones using EAP-TLS with certs.  Can someone point me to the instructions on how to do EAP-TLS.  I'm getting a response that the Certificate is unknown.  I've loaded the cert onto the CPPM server.



  • 2.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    EMPLOYEE
    Posted Nov 21, 2012 12:57 PM

    ClearPass Needs:

     

    - A server Certificate Issued by a Certificate Authority and uploaded to the ClearPass Policy Manager.  (Administration> Certificates> Server Certificate.  Create a certificate signing request.  Import the request into your CA and import the resulting Server Certificate and Private Key back into ClearPass Policy Manager

    - A (CA) Certificate Authority Certificate ssued by the Certificate Authority that issues the certificates to the phones.  Import it into Administration> Certificates Trust List



  • 3.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 27, 2012 05:46 PM

     

    Let me provide a little more background....

     

    Cisco_IP_Phone > RAP3:port2 > Home_Router>Internet>3400Controller

     

    • I've got an 802.1x aaa profile configured and applied to the eth2 port on the RAP ap profile. 
    • The aaa profile points to the CPPM server for authentication. 

     

    • The CPPM server has been added to the AD Domain
    • I generated a CSR for the CPPM and had the cert and private key files generated on our Internal CA
    • I've imported the Server cert and private key files into the CPPM server

     

    • I've generated a CSR for the Cisco UC server, enabled CAPF service on the Cisco UC server and modified the CTL file (All per Cisco documentation and VAR assistance) 
    • I've then enabled the Cisco IP Phone for 802.1x and had the LSC cert pushed down to it from the Cisco UC server.

     

    I am getting this error in the Activity Log:

    Error Code:
    215
    Error Category:
    Authentication failure
    Error Message:
    TLS session error
     Alerts for this Request  
    RADIUSEAP-TLS: client certificate CN/SAN comparison failure
    EAP-TLS: fatal alert by server - certificate_unknown

     



  • 4.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    EMPLOYEE
    Posted Nov 27, 2012 06:59 PM

    Is the LSC cert generated by the Cisco UC server?  I'm afraid that I'm not familiar...

     



  • 5.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 28, 2012 11:44 AM

    Yes, the Cisco UC server is runing CAPF services which is used to generate the LSC (Locally Significant Certificate) for the IP Phones.  The CAPF server was configured by generating a CSR to our Internal CA.

     

     



  • 6.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 27, 2012 07:45 PM

    It looks like its failing to do CN comparison. If you look at your EAP-TLS authentication method in CPPM, do you have CN comparison enabled? You could try to disable certfificate comparison to see if that helps.



  • 7.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 28, 2012 12:01 PM

    Within the EAP-TLS authentication method on CPPM, it is set  as shown below:

     

     

    General x
     
    Name:  Copy_of_[EAP TLS]
    Description:Compare Common Name for IP Phone Cert Comparison
    Type:
    EAP-TLS
    Method Details
    Session Resumption:Enable
    Session Timeout:6 hours
    Authorization Required:Enable
    Certificate Comparison:Compare Common Name (CN)
    Verify Certificate using OCSP:None
    Override OCSP URL from Client:Enable
    OCSP URL:

     

     

    If I change the Certificate Comparison to "Do Not Compare" the phone gets on the network.  My concern here is that there is no security.  Does this basically disable the EAP-TLS function of mutual cert verification?



  • 8.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 28, 2012 12:33 PM

    No, it does not disable mutual cert verification. Checks to make sure that the certificate is issued by a trusted root CA are still done. All you are disabling is checking a 3rd location to see if the CN on the certificate exists there. So if you wanted to make sure that the CN of the certificate exists in LDAP or AD or somewhere else, then you would want the compare CN to be enabled. 

     

    The only other check you would want from a security perspective would be CRL or OCSP. You want to make sure that the certificate has not been revoked. 



  • 9.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 27, 2012 12:15 PM
    I've generated the CSR and had the Server cert and private key files imported to the CPPM server. Still getting the same error.



  • 10.  RE: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

    Posted Nov 27, 2012 12:15 PM
    A little more info. I've got the Cisco IP phone