Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎08-30-2013

TPM-based attestation with ClearPass

Hi,

 

A potential ClearPass customer requires endpoint authentication/verification using TPM-based attestation.

Has anybody looked at this or has any ideas on how to approach it ?

 

I am thinking that there might be a way using a 3rd part service that can do the TPM-based attestation as an additional authentication/authorisation source in CPPM if there isn't a way to do it directly with ClearPass.

 

Regards

 

 

 

Ronnie

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: TPM-based attestation with ClearPass

What sort of information is the TPM module sending to clearpass.  If these are Remote APs, then we can authorize to CPPM for a centralized RAP whitelist.  Is this what your customer was alluding to?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 7
Registered: ‎08-30-2013

Re: TPM-based attestation with ClearPass

Hi Seth,

 

Should probably have defined "endpoints'

 

Customer is refering to laptops and desktops that have TPM on the motherboards and the objective is to be able to detect "perfect" clones which would be identical in all respects, including mac adddress, with the exception of the cryptographic stuff in the TPM.

 

The exact wording:

 

"One of these involved the need for NAC to identify a cloned workstation using unique hardware properties such as TPM as part of the security posture assessment."

 

Without a way to address this ClearPass does not get on the short list implying at least one of the competitors can.

 

Regards

 

 

 

ROnnie

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: TPM-based attestation with ClearPass

As long as we can get something consistent about the context of these devices, this shouldn't be an issue.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor I
Posts: 7
Registered: ‎08-30-2013

Re: TPM-based attestation with ClearPass

Hi Seth,

 

Nice statement but how ?

 

How do we query the "TPM" or "Something that talks to TPM" from ClearPass ?

 

It seems that Aruba thinks it is unimportant but Google (and DuckDuckGo) reveals NSA HAC (High Assurance Computing) ond other hits, some EDU. Why is this being ignored when it seems to be the logical next step ?

 

Regards

 

 

 

ROnnie

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: TPM-based attestation with ClearPass

[ Edited ]

I am not a TPM expert per se but I did some digging and Clearpass is a solution (RADIUS) that accepts authentication requests from an endpoint.  That endpoint has to have a supplicant either built into the OS or external app that can utilize the TPM functionality.  From what I gathered, using a TLS certificate stored in the TPM is how this is done with EAP-TLS via machine authentication.  Clearpass can understand this and you can write policy based on information housed within this cert.  

 

However, your original question is about attestation which differs from authentication as noted below.  So, any theory about an authorization source may or may not be feasible depending on requirements

 

Attestation:

  • Providing evidence about a target to an appraiser
  • Used for predicting future target behavior

Authentication:

  • Identification of a machine or user
  • Usually, another partner in a protocol 

 

I would advise to talk directly with your Aruba representation locally in your area to have a productive conversation about solving this use case.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: