Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

QuickConnect Client can be Transferred between workstations with Authentication Information

QuickConnect Client can be downloaded to a client machine after successful Web Auth, but if a client copies this one file, they can run it on any workstation and it provides them with full internal access on any machine.  It seems like the whole TLS Cert and/or AAA info is being saved and can be run from anywhere.

 

And suggestions on how to prevent this from occurring?

Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

Does anyone have any ideas how to resolve this issue?
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

Can you please share your enforcement policy ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

Mslan,

 

What OS is this?  Like Vfabien is alluding to, the mac address of the client could be installed into the certificate and that can be checked against the calling-station-id of the host machine during EAP-TLS authentication to stop this.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

[ Edited ]

I have attached screen shots of the three Services regarding OnBoard.  The Provisioning shows the Auth and Enforcement Policy/Profile.  The Pre-Auth and Auth show the Authentication, and both have an "accept" as enforcement profiles.

 

And the OS this is happening on is Windows, both 7 and 8.

Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

[ Edited ]
 
Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

Where can I set the "calling-station-id" attribute to be recorded and pushed down with the cert, then checked against upon TLS Authentication?

Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

It should be done automatically.  Look in the Access Tracker for a Windows onboarded device that authenticates via EAP-TLS and see if you see mdpsmacaddress as a radius attribute.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 19
Registered: ‎08-24-2011

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

 

Radius:IETF:Calling-Station-Id0024d7xxxxxx
Radius:IETF:Calling-Station-Id0024d7xxxxxx

 

I do see the attribute in the Access Tracker, as shown above.  But how can I restrict the QuickConnect Client from being run on another machine?  

 

What would be the proper "Operator" to set the "RADIUS: IETF:" and "Calling-station-ID".  Exists? or "Belongs to..."?

Guru Elite
Posts: 21,512
Registered: ‎03-29-2007

Re: QuickConnect Client can be Transferred between workstations with Authentication Information

Mslan,

 

Let me make sure we are talking about the same thing.  I just onboarded a Windows Computer and When I look at the device certificate in Onboard, this is what I see.  Below is the wired and wireless mac addresses.  Let me know if you see that in your certificate:

 

 

mac1.png

 

When I authenticate, this is what I see in the Access Tracker under "Computed Attributes".  Please let me know if you see that, as well.

 

cert2.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: