Security

Anyone know a way from preventing users from using inner identity in clearpass?

In this case a user brings a device in and connects to the 802.1x network and places a valid username in the username field (let's say the CIO of the company's AD username). The in inner identity they us their real username and password is the password associated with the real username. Clearpass will authenticate with active directory and then will pass so it will use the CIO's username to pull authorization details from active directory.

Easily done on android but can also be done using iOS.

Anyone else seen this?

 

Below are screen shots on how to configure iOS.

 

Im not sure why you would like to prevent User credentials being sent in the Inner tunnel of 802.1x.

 

Inner tunnel is completely secure and can never be seen by anyone sniffing the traffic if you are using a secure algorithm like WPA2-AES. Outer identity can be configured as anonymous. This is similar to users authenticating over a VPN link.

I'm not 100% on what is the inner and what ID is the outer but I have an android and I select our network (802.1x)  phase 2 auth (MSCHAPV2) under username I place the username that I want to show up in access tracker (this is the ID that clearpass will look up to perform any authorization details on)  under anonymous ID I put my real ID and password is the password that is associated with my real ID.   Once authentication is passed my device will receive the policy from the username (the CIO's access).  Under the controller the username is the real ID. And under the logs for that session it shows it querying AD using the real ID. (Authentication succeeds)

 

Its not that I want to stop it I just need a way to for clearpass to verify that they are the same or I need clearpass to perform authorization details on the real id and not that username. 

Sdr,

 

In the server configuration, you should enable the parameter "Use Inner ID in Access Accept Reply" (CPPM 6.2 and above)

 

Yes. I have that and we tried Changing that to true but all that did was change what username shows up in the controller.

I have run into this problem as well,  however it appears Clearpass is pulling LDAP attributes for the outer idenity, and then role derivatioin is using those LDAP memberOf attribute , allowing users to gain elevated roles. We have only seen this issue in testing but it does appear to be a real issue.

 

 

What version of CPPM are you using?

6.2.2.56621

I'm waiting on conformation but I believe that has been addressed in 6.3

I am currently testing EAP-TLS with Onboard. OS X prompts you for an outer identity.

CPPM 6.6.5 still seems to use the outer identity for authorization even with the Inner Identity server setting set to True.

How do we plug this major security hole for EAP-TLS & CPPM?

 

 

Bruce - there is no "security hole" in ClearPass. EAP-TLS really doesn't have a concept of outer and inner method as it's not a tunneled EAP method. macOS allows you to manually set the username instead of automatically pulling it from the certificate (the default behavior).

 

To reject authentications where the username does not match the contents of the certificate, simply configure your EAP-TLS method to use certificate comparison.

 

 

Username entered as optional Account Name in macOS

 

Username in the certificate

 

Rejected

Thanks for the explanation, Tim

 

Is there any way to get CPPM to ignore the outer identity and just use the certificate user name? I am still learning TLS as we are testing for future deployment. We currently use PEAP-MSCHAPv2.

 

EDIT: I see in your example you have OCSP enabled, which makes a request for every authentication. Is there any way to just used CRL which is cached with a limited lifetime? That should be more efficient.

 

Thanks again,

 

There is no outer identity. When you enter the username in macOS, it's overriding the username in the request.  When ClearPass is used for Onboarding, an end user should never be prompted to enter a username in the supplicant as the wireless configuration is installed as part of the process.

OK, we are currently evaluating 3 onboarding vendors for PEAP-MSCHAPv2 & EAP-TLS.

 

When using Onboard I am prompted to select the certificate & identity when connecting on OS X. I an working with a TAC engineer due to other issues. onboarding. 

 

Thanks for clarifying this. I guess there is no way to ignore the entered username & just use the certificate.

Post-Onboard, you should not be prompted for anything. Something is misconfigured.

Thanks, Tim.

 

I will add you to my email chain with TAC.

Yes I have removed eap-tls as an authentication type to fix it but if we ever use certificates well need the fix.