Security

Reply
Occasional Contributor II
Posts: 18
Registered: ‎08-29-2014

OnBoard Default Auth Types

What is the reasoning behind OnBoard by default using PEAP without Fast Reconnect?

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Guru Elite
Posts: 8,761
Registered: ‎09-08-2010

Re: OnBoard Default Auth Types

Onboard should default to EAP-TLS, not PEAP.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎08-29-2014

Re: OnBoard Default Auth Types

Yes, the wizard creates a service with the first Auth Type as EAP-TLS with OCSP.  The second is PEAP without fast reconnect enabled.

 

Why PEAP without fast reconnect rather than with?

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: OnBoard Default Auth Types

Fast connect is a security hole considered by most security teams. So the decision was made to default with it disabled. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 18
Registered: ‎08-29-2014

Re: OnBoard Default Auth Types

Interesting.  Do you by chance have any examples of this documented anywhere?  My Google fu is failing me on this subject.

 

My understanding of the fast reconnect feature is that it is there to provide quicker authentication when roaming from NAD to NAD when properly configured against the same NAS.  If the environment is all Aruba mobility controllers, does fast reconnect even provide a benefit?

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Guru Elite
Posts: 8,761
Registered: ‎09-08-2010

Re: OnBoard Default Auth Types

11r is the suitable secure replacement.

Are you having issues in your deployment without fast reconnect?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎08-29-2014

Re: OnBoard Default Auth Types

[ Edited ]

No, just trying to understand why CPPM creates the service the way it does.  The documentation and associated comments on this subject appears to be nil.

 

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Guru Elite
Posts: 8,761
Registered: ‎09-08-2010

Re: OnBoard Default Auth Types

It's not a ClearPass feature so you likely won't find any documentation on it. You can find a complete explanation of PEAP and related features on TechNet.

Also keep in mind that the Onboard service generated by the wizard is designed for single SSID onboard so PEAP would only be used for the first authentication so Fast Connect would never be used anyway.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 18
Registered: ‎08-29-2014

Re: OnBoard Default Auth Types

Yes, I know that PEAP is Microsoft but that wasn't the documentation I was referring to.  I'm just trying to find something on why CPPM wizards set some of the options like they do.

 

PEAP would be first authentication for devices destined for OnBoard but the customer might not be interested in buying OnBoard licenses for every device they have on the network.

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Search Airheads
Showing results for 
Search instead for 
Did you mean: