Security

Reply
Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

How do I configure EAP-TLS (802.1x with Cert) on ClearPass

I'm trying to configure ClearPass PM to authenticate Cisco IP Phones using EAP-TLS with certs.  Can someone point me to the instructions on how to do EAP-TLS.  I'm getting a response that the Certificate is unknown.  I've loaded the cert onto the CPPM server.

Guru Elite
Posts: 21,019
Registered: ‎03-29-2007

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

ClearPass Needs:

 

- A server Certificate Issued by a Certificate Authority and uploaded to the ClearPass Policy Manager.  (Administration> Certificates> Server Certificate.  Create a certificate signing request.  Import the request into your CA and import the resulting Server Certificate and Private Key back into ClearPass Policy Manager

- A (CA) Certificate Authority Certificate ssued by the Certificate Authority that issues the certificates to the phones.  Import it into Administration> Certificates Trust List



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

I've generated the CSR and had the Server cert and private key files imported to the CPPM server. Still getting the same error.

Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

A little more info. I've got the Cisco IP phone
Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

 

Let me provide a little more background....

 

Cisco_IP_Phone > RAP3:port2 > Home_Router>Internet>3400Controller

 

  • I've got an 802.1x aaa profile configured and applied to the eth2 port on the RAP ap profile. 
  • The aaa profile points to the CPPM server for authentication. 

 

  • The CPPM server has been added to the AD Domain
  • I generated a CSR for the CPPM and had the cert and private key files generated on our Internal CA
  • I've imported the Server cert and private key files into the CPPM server

 

  • I've generated a CSR for the Cisco UC server, enabled CAPF service on the Cisco UC server and modified the CTL file (All per Cisco documentation and VAR assistance) 
  • I've then enabled the Cisco IP Phone for 802.1x and had the LSC cert pushed down to it from the Cisco UC server.

 

I am getting this error in the Activity Log:

Error Code:
215
Error Category:
Authentication failure
Error Message:
TLS session error
 Alerts for this Request  
RADIUSEAP-TLS: client certificate CN/SAN comparison failure
EAP-TLS: fatal alert by server - certificate_unknown

 

Guru Elite
Posts: 21,019
Registered: ‎03-29-2007

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

Is the LSC cert generated by the Cisco UC server?  I'm afraid that I'm not familiar...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

It looks like its failing to do CN comparison. If you look at your EAP-TLS authentication method in CPPM, do you have CN comparison enabled? You could try to disable certfificate comparison to see if that helps.

Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

Yes, the Cisco UC server is runing CAPF services which is used to generate the LSC (Locally Significant Certificate) for the IP Phones.  The CAPF server was configured by generating a CSR to our Internal CA.

 

 

Occasional Contributor II
Posts: 17
Registered: ‎06-17-2009

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

Within the EAP-TLS authentication method on CPPM, it is set  as shown below:

 

 

General x
 
Name:  Copy_of_[EAP TLS]
Description:Compare Common Name for IP Phone Cert Comparison
Type:
EAP-TLS
Method Details
Session Resumption:Enable
Session Timeout:6 hours
Authorization Required:Enable
Certificate Comparison:Compare Common Name (CN)
Verify Certificate using OCSP:None
Override OCSP URL from Client:Enable
OCSP URL:

 

 

If I change the Certificate Comparison to "Do Not Compare" the phone gets on the network.  My concern here is that there is no security.  Does this basically disable the EAP-TLS function of mutual cert verification?

Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: How do I configure EAP-TLS (802.1x with Cert) on ClearPass

No, it does not disable mutual cert verification. Checks to make sure that the certificate is issued by a trusted root CA are still done. All you are disabling is checking a 3rd location to see if the CN on the certificate exists there. So if you wanted to make sure that the CN of the certificate exists in LDAP or AD or somewhere else, then you would want the compare CN to be enabled. 

 

The only other check you would want from a security perspective would be CRL or OCSP. You want to make sure that the certificate has not been revoked. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: