11-09-2016 04:10 AM
I have been trying to set up our local authentication in a specific way, but have run into some problems. What we have is Clearpass as a Radius, and a couple of 7200-controllers, and what I am trying to accomplish is authentication using two different methods on the same SSID. Our standards state that we have to authenticate using EAP-TLS (e.g. certificates) and we have some certificates that are issued to users as part of the setup. As for local setup, nothing is stated as to global standards when it comes to pre-login authentication. Authenticating with the certificates works fine after login, and I am able to authenticate the users onto the network. The SSID, lets call it "Office", is now available to users with certificate. However, the problem is that we would like to be able to authenticate the computer before login (so that users can connect to the wireless network, so that users can complete initial login without having to use wired network the first time). The computers are part of the domain, and by changing the settings for Office, I am able to authenticate against AD, but then certificate no longer works.
Are there any "practical" methods as to how we can accomplish this. We are spread over several countries, and we dont all have the same setup, however, users everywhere have a certificate issued with their username (which is not the one stored in our local AD), so this is what is used to authenticate. In essence, user-account has a certificate, but the computer-account does not. The computer-name is enrolled in our domain, so we can check it there for that part of the authentication, and we just check the certificate issuer for the user-certificate against the local repository on the Clearpass, just checking that the issuer is the same.
Is there a bit of combined (controller/clearpass) Aruba-magic that could possibly make this setup work? We have access to pretty much the entire setup, although there are some restrictions, like that fact that the SSID is a global setup, and therefore have some enforced settings, such as EAP-TLS authentication. Would like to avoid having a local CA to issue computer-certificates, as part of the goal of this is to specifically avoid this.