last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all


This thread has been viewed 17 times
  • 1.  EAP-TLS with NPS

    Posted Jul 05, 2021 12:09 PM
    HI Airheads,
    we have a customer with Aruba AP's and controllers (V8).
    They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
    I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
    I know i have to consider revocation but just want to get EAP-TLS going to begin with.

    Pete Elms

  • 2.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 01:13 AM
    To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

    As per my understanding eap-tls is not a recommended way to authenticate non domain users.

  • 3.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 03:45 AM
    I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

    Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 4.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 04:17 AM
    hi Herman,
    thanks for getting back.
    i agree i think you should be able to do EAP-TLS with NON-AD clients.
    Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
    All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
    I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
    So that the authentication can be done on trust alone.

    Pete Elms

  • 5.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 08:54 AM
    On the enforcement service, make sure you update the EAP-TLS Authentication source to check the ClearPass OCSP. 

    If this will be a mix of AD and non-AD clients you can use the different Authorization sources as a differentiator in the enforcement policies. 
    Authentication will be based on ClearPass Onboard Cert, and if the clients are not AD based NPS would not have anything to do with the authorization since the CN would not equal the user UPN's on the cert (Cert Subject shouldn't match AD usernames, unless using AD users).

  • 6.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 09:19 AM
    thanks for getting back,
    As you say the users are not AD users.
    I am just autnenticating EAP-TLS User cert based clients based on trust of CA's .
    However in the event viewer i am seeing "user not found" which confuses me.
    So i was wondering how do i stop the NPS service from looking for a user account.

    Pete Elms

  • 7.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 09:31 AM
    You've probably included the NPS server as an authentication or authorization source.
    If no AD /NPS credentials are involve, just use the Onboard users/devices as the auth source.

  • 8.  RE: EAP-TLS with NPS

    Posted Jul 06, 2021 09:42 AM
    i am not using Clearpass as a RADIUS server i'm using NPS as my RADIUS service.
    I'm unclear on how you disable authorization on the NPS policy service.

    Pete Elms