Security

Reply
MVP
Posts: 740
Registered: ‎04-13-2009

OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

Hi All,

 

Can someone briefly explain to me how this works?

 

OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

 

On the ClearPass access tracker VPN authentications always have a posture as unknown, even when the client shows health status as healthy and directly after a successful health check.

 

Is this happening due to Via clients MAC address showing as 00:00:00:00:00:00 (as per the outstanding bug)??

 

Cheers

James

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 740
Registered: ‎04-13-2009

Re: OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

Bump.

 

I'm not sure what would link the authenticated client to the health check other than the MAC address but as it all zeros... How would this work?

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

Sorry for the delay. When using OnGuard with VPN, you need to do Health Checks with Authentication.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 740
Registered: ‎04-13-2009

Re: OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

Hi Tim,

 

Thanks for the reply. I'm authenticating using a TLS machine certificate (no authorization) and doing domain pre-connect. In this scenario if I enabled health check with auth would it work or would I also need to enable authorization on my EAP-TLS authenticaiton method?

 

Reason for asking is, in my scenario, using health check with authentication would mean CPPM would see 2 authentication requests. 1 would be from the machine for VPN auth and the other from the user for health check auth. Would CPPM know the health check authentication was from the same device as the machine based TLS auth?

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 740
Registered: ‎04-13-2009

Re: OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

Just to add a bit more details.

Here's a successful healthy posture.

via healthy.jpg

 

Immediately (9 seconds later) followed by my Via authentication:

via unknown.jpg

So my posture was healthy, then it was unknown.

 

I have cached roles and posture enabled.

via cached.jpg

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 740
Registered: ‎04-13-2009

Re: OnGuard VPN (EAP-TLS Machine Cert Auth) with Health Checks (no Auth)

FYI this configuration is not supported.

 

The username in the certificate needs to match the username in the health check so only user certificate will work with health checks with authentication.

 

Currently machine based certificate don't work with health checking.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: