Security

Reply
Contributor II
Posts: 42
Registered: ‎05-06-2013

P-EAp with the inner method being EAP-TLS

Hi,

 

Probably a stupid question (hopefully not) but Ill ask anyhow..:smileyembarrassed: 

 

Usually we use P-EAP wtih MsChapv2 as the innet method and it easy to setup on AOS and CPPM, but we have a customer that wants to use EAP-TLS as the inner method.

 

As a test we have setup the service on cppm as normal but set the inner method to EAP-TLS and installed a users cert from the AD's CA server (Win 2008 Enterprise edition) but authentication fails with a user not found in the access tracker.

 

The question I have is does the CPPM need to have anything other than is own cert issued by the AD's CA and obviously the CA's root certificate?

 

The wireless clients supplicant (Intels Proset in this instance) is setup to use a user cert (TLS) instead of MsCHAP.

 

regards

 

Andy

Guru Elite
Posts: 20,815
Registered: ‎03-29-2007

Re: P-EAp with the inner method being EAP-TLS

[ Edited ]

alow wrote:

Hi,

 

Probably a stupid question (hopefully not) but Ill ask anyhow..:smileyembarrassed: 

 

Usually we use P-EAP wtih MsChapv2 as the innet method and it easy to setup on AOS and CPPM, but we have a customer that wants to use EAP-TLS as the inner method.

 

As a test we have setup the service on cppm as normal but set the inner method to EAP-TLS and installed a users cert from the AD's CA server (Win 2008 Enterprise edition) but authentication fails with a user not found in the access tracker.

 

The question I have is does the CPPM need to have anything other than is own cert issued by the AD's CA and obviously the CA's root certificate?

 

The wireless clients supplicant (Intels Proset in this instance) is setup to use a user cert (TLS) instead of MsCHAP.

 

regards

 

Andy


Ultimately, you will need to find the proper radius server/supplicant combination that will support whatever you want to do.  This might not be a combination supported by your radius server and supplicant:  http://wiki.freeradius.org/protocol/EAP-PEAP#PEAP-EAP-TLS

 

Lastly, if this is an enterprise deployment, I would not use the Intel Proset supplicant, because managing your endpoints would require yet another level of software that needs to be changed/configured on the client.  Use the Microsoft Native Supplicant and manage with group policy, if possible.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: P-EAp with the inner method being EAP-TLS

[ Edited ]

There are a couple of options with authenticating using TLS.   First, you need to verify which you are using from the client side and what you exactly want to do.     Most common deployments using certificate authentication use EAP-TLS

 

Can you please share an export of the Access Tracker event?

 

Also, if you use any form of TLS as an authentication method, verify what the Certificate Comparison field is set to? 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 42
Registered: ‎05-06-2013

Re: P-EAp with the inner method being EAP-TLS

 

Strange as clearpass lists the inner method as eap-tls under the computed attibutes of the access tracker.

 

Ill try it again using the Windows supplicant to see if it does anything differant.

 

Otherwise the customer will have to live without tls as the inner. 

 

thanks

 

Andy

Contributor II
Posts: 42
Registered: ‎05-06-2013

Re: P-EAp with the inner method being EAP-TLS

Hi Clembo,

 

The client does have a user cert, which was obtained via the CA's web enrolment portal.

 

Some screen shots from the access tracker;

 

tracker1.JPGtracker2.JPGtracker3.JPGinner.jpeg

Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: P-EAp with the inner method being EAP-TLS

[ Edited ]

When you choose an inner method (EAP-TLS in this case) it uses an existing Authentication Method that is defined on CPPM.   Open up [EAP TLS] authentication method that is defined under Authentication/Methods.  Check to see if authorization is checked and if it is set to compare the certificate.  

 

cppm-tls-cert-compare.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 447
Registered: ‎11-04-2011

Re: P-EAp with the inner method being EAP-TLS

You may need to strip your username.

 

Following the access-tracker, the certificate contains the username 808@home.local; the username in AD is 808, and when sending the full name AD will not recognize that.

 

In your service, Authentication tab, there is the option to strip the @home.local from the username before it is validated in AD; see screenshot in attachment.

 

PEAP-TLS (Outer PEAP, Inner TLS) is possible, and one of the ways to permit Microsoft NAP combined with client certificates. NAP requires PEAP outer-tunnel.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Contributor II
Posts: 42
Registered: ‎05-06-2013

Re: P-EAp with the inner method being EAP-TLS

Hi Herman,

 

I will try that.

 

regards

 

Andrew

Contributor II
Posts: 42
Registered: ‎05-06-2013

Re: P-EAp with the inner method being EAP-TLS

Hi,

 

Removing the @domain seems to have sorted it, but it only seems to work with the Intel supplicant not the Windows supplicant. 

 

I did also reinstall my CA is I managed to break it so badly, while fiddling with ndes that it now bsod's permanently .The Old CA was 2008 and the new one is 2008 R2 (both enterprise edition), I dont know if that makes any difference

MVP
Posts: 447
Registered: ‎11-04-2011

Re: P-EAp with the inner method being EAP-TLS

This should work with the Windows supplicant as well; but it might be that the Windows supplicant uses DOMAIN\user instead of user@domain; you can also strip that format by changing the strip parameters to:

 

user:@,\:user

 

Also, check in the access-tracker the exact format of the username sent by your supplicant and make sure you strip it to only the username before sending it to AD.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: