Security

Reply
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Inner and outer identity 802.1x

[ Edited ]

Anyone know a way from preventing users from using inner identity in clearpass?

In this case a user brings a device in and connects to the 802.1x network and places a valid username in the username field (let's say the CIO of the company's AD username). The in inner identity they us their real username and password is the password associated with the real username. Clearpass will authenticate with active directory and then will pass so it will use the CIO's username to pull authorization details from active directory.

Easily done on android but can also be done using iOS.

Anyone else seen this?

 

Below are screen shots on how to configure iOS.

 

SSID-1.png

WIFI-SETUP-2.png

Aruba Employee
Posts: 49
Registered: ‎12-28-2012

Re: Inner and outer identity 802.1x

Im not sure why you would like to prevent User credentials being sent in the Inner tunnel of 802.1x.

 

Inner tunnel is completely secure and can never be seen by anyone sniffing the traffic if you are using a secure algorithm like WPA2-AES. Outer identity can be configured as anonymous. This is similar to users authenticating over a VPN link.

Thanks,
Abilash (ACCP, CWSP, CWAP, CWDP)
(Above answer is based on my knowledge and NOT an official statement from Aruba)
[Hit Kudos if my reply helps. ]
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Inner and outer identity 802.1x

I'm not 100% on what is the inner and what ID is the outer but I have an android and I select our network (802.1x)  phase 2 auth (MSCHAPV2) under username I place the username that I want to show up in access tracker (this is the ID that clearpass will look up to perform any authorization details on)  under anonymous ID I put my real ID and password is the password that is associated with my real ID.   Once authentication is passed my device will receive the policy from the username (the CIO's access).  Under the controller the username is the real ID. And under the logs for that session it shows it querying AD using the real ID. (Authentication succeeds)

 

Its not that I want to stop it I just need a way to for clearpass to verify that they are the same or I need clearpass to perform authorization details on the real id and not that username. 

Guru Elite
Posts: 20,576
Registered: ‎03-29-2007

Re: Inner and outer identity 802.1x

Sdr,

 

In the server configuration, you should enable the parameter "Use Inner ID in Access Accept Reply" (CPPM 6.2 and above)

 

inner.PNG



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Inner and outer identity 802.1x

[ Edited ]
Yes. I have that and we tried Changing that to true but all that did was change what username shows up in the controller.
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Inner and outer identity 802.1x

I have run into this problem as well,  however it appears Clearpass is pulling LDAP attributes for the outer idenity, and then role derivatioin is using those LDAP memberOf attribute , allowing users to gain elevated roles. We have only seen this issue in testing but it does appear to be a real issue.

 

 

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Inner and outer identity 802.1x

What version of CPPM are you using?
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 120
Registered: ‎10-31-2012

Re: Inner and outer identity 802.1x

6.2.2.56621

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: Inner and outer identity 802.1x

I'm waiting on conformation but I believe that has been addressed in 6.3
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Inner and outer identity 802.1x

Yes I have removed eap-tls as an authentication type to fix it but if we ever use certificates well need the fix.
Search Airheads
Showing results for 
Search instead for 
Did you mean: