Security

last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

clearpass ad azure

This thread has been viewed 55 times
  • 1.  clearpass ad azure

    Posted May 19, 2021 09:04 AM
    Hi,
    We try to configure 802.1x authentication for computers managed by intune in azure with clearpass.
    We followed severals videos on youtube proposed by airheads (https://www.youtube.com/watch?v=MlcrqTDDufU) and configured clearpass.

    We have an issue, computers can't connect to network because they don't have the CA ROOT.

    Error codes :
    [Endpoints Repository] - localhost: User not found.
    EAP-TLS: fatal alert by client - unknown_ca
    TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
    eap-tls: Error in establishing TLS session

    It seems that clients don't have valid ca. We provide ca root and machine certificat via intune and scepman.
    But our clearpass don't have a certificat installed delivry by this ca root, I think it's that issue.
    In the video, the speaker added the ca root in trust list of clearpass and it's enough to authenticate clients. For us this don't work.

    Has anyone succeed to configure this ? and how ?

    Thank you,
    Romeo


    ------------------------------
    ROMEO VANDEWYNCKEL
    ------------------------------


  • 2.  RE: clearpass ad azure

    Posted May 19, 2021 10:19 AM
    Romeo,

    Before you deploy 802.1X it is important to get a RADIUS Certificate installed on the ClearPass server. For this RADIUS certificate, it is recommended to have it issued by a private CA, and your Enterprise CA (if you have one), or the CA that issues your client certificates may be a good candidate, or as a last resort, you could use ClearPass Onboard to create a new Root CA and issue a RADIUS certificate from there.

    The root that signed the ClearPass RADIUS certificate needs to be pushed to your clients (in addition to other CAs that may be needed), and it needs to be set as trusted for 802.1X. Intune can help with that, and I think the Airheads video does that as well, but you may not have realized what is happening and why.

    This video (the end shows the same error you have), and the follow-up video will show you how to request the RADIUS cert from a Microsoft Enterprise CA.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: clearpass ad azure

    Posted May 19, 2021 11:45 AM
    Hi,

    Yes I understand and I agree with you.
    I hoped to do all certificates configuration into AZURE / INTUNE only.
    I chose scepman to manage certificate (as it mentioned to the video) in azure and its seem that I can't generate certificate for a specific device (in my case CPPM) who is not part to intune.

    So I'm looking for an other way to do this.

    If someone already did this..

    Thank you




    ------------------------------
    ROMEO VANDEWYNCKEL
    ------------------------------



  • 4.  RE: clearpass ad azure

    Posted May 20, 2021 08:14 AM
    You can push the RADIUS Certificate chain via the device profile. 
    https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root  

    You may want to check on SCEPman, Tim C put us onto this one. It allows you to use Azure KeyVault to distribute the Client certificates so you can do EAP-TLS without maintaining a CA on prem. You will still have to use a device management policy to push the root /enterprise CA that the KeyVault Intermediate CA cert will be based on.

    You can do this with an offline root, and even create the root and Intermediate certs with OpenSSL on just about any machine, though a standard CA would make things much easier than wading through the OpenSSL Config file if your not used to it. 


    ------------------------------
    Michael Holden
    ------------------------------



  • 5.  RE: clearpass ad azure

    Posted May 21, 2021 03:37 AM
    Hi,

    Thank you Michael,
    Can we use wildcard public certificat as radius certificat ?
    I always heard that is not recommended but I don't know really why.

    I asked scepman support for this issues. (for generate certificate for a device out intune)

    ------------------------------
    ROMEO VANDEWYNCKEL
    ------------------------------



  • 6.  RE: clearpass ad azure

    Posted May 21, 2021 10:50 AM
    There have been (at least historically) issues with Windows devices and wildcard certificates for EAP. As nearly every network needs to support Windows clients, it has been a no-go and probably nobody tested anymore as you probably don't want to risk this.

    Public certificates are not recommended for EAP because there is no benefit having a public certificate. For HTTPS you can automatically accept the certificate by linking it to the URL (hostname) you type in your browser. For 802.1X, there is no such identifier, on wired there is not even an SSID name, on wireless anyone can pick any SSID name, which means end user would need to make the decision if they trust a certificate and you probably know what they do if there is any security pop-up. The major issue with a public certificate for EAP is that these days public certs cannot he requested for a longer period than one year. You will need to roll-over your RADIUS certificate every year, but most important is that public CAs roll-over as well. So there is no guarantee that you can still get a certificate from the same public CA in a year from now. If you can't at that point, you have an issue as moving to another CA means potentially touching every client. With a private CA you control the validity of your CA, as well the issued certificates. Public CAs are under much higher restrictions.

    I know customers that run on public certs, and it works, but I have seen customers forced in reprovisioning procedures as well, where you don't want to be.

    Recommended for EAP is a long-running (multi-year) server certificate from a private CA. And use some kind of provisioning method to get the root and supplicant config in your client. AD GPO/Intune/other MDM for managed clients, for unmanaged/BYOD clients have a look at Onboard.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: clearpass ad azure

    Posted May 22, 2021 01:41 AM


    Sorry I missed that you had already Checked out Intune. 
    I hadn't checked these out before, but thank you Mitchell for the content! 
    If you check the 1.2 video (https://www.youtube.com/watch?v=OrrXgnTH_Qw ) around 7:45 minutes you'll see where the ClearPass RADIUS Certificate is defined when manually configuring, you'll need to do the same in the Device Profile WiFi configuration to match the ClearPass RADIUS Server Certificate. 
    https://docs.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-configure 

    As for the Wild Card question... Se Herman's response. Wildcard will not be a good option. 
    If this is lab or other small highly managed client set, you can look at something like Let's Encrypt or ssls.com. I wouldn't mess with Let's Encrypt for the RADIUS cert for anything other than a lab since the certbot isn't directly supported for the 90 day cert rotation. You could possibly do this with a cron job and the PUT /server-cert/name/{server_uuid}/{service_name} API call, but I can think of several basic security reasons not to do this. (Check you're API Explorer for details https://<you CPPM Server>/api-docs/PlatformCertificates-v1#!/ServerCert) 

    If you haven't seen it do a quick look over Tim C's quick cert overview: 
    https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=153ef9a1-a573-4ccb-80cb-3edac3ce2869 

    You should also keep in mind what Hermon mentions about the public CA re-issue problem. The lower cost CA's may encounter more issues, but your mileage will vary. 

    One example, we recently saw many public CA's change over from SHA1 to SHA2 changing their Cert Chain. So even when purchasing from the same CA you didn't get the same cert chain. If you know ahead of time and you've planed out the certificate change and you have management of all devices with endpoint management Intune or other MDM solution this can be mitigated, but that's a lot of ifs. 

    The other option is to  setup an enterprise trust, to almost satisfy your Azure only requirement, you could use an Offline Root CA, and have the KeyVault as the intermediate CA that issues client certs from the Azure KeyVault. Won't talk about the handling of key materials or how you make sure you protect the private key of your Root CA as well as the KeyVault CA, but if you do this make sure offline is OFFLINE, as in do this on an isolated device and transport the Intermediate PFX cert and CRL on secure known good medium never decrypted and don't leave it laying around, and lock it up when your no using it. Test with an "online" OpenSSL to get all your configs and extensions right and test, then repeat with the offline. Note, I had some issues with KeyVault and EC, I had to stay with RSA.  
    The use of Microsoft Certificate services, EJBCA, xca, Dogtag, etc may be easier than OpenSSL but are typically require more overhead.  

    Now that the warning is done check out Eric Siron's " How to Make an Offline Root Certificate Authority for Windows PKI in WSL"  https://www.altaro.com/hyper-v/wsl-offline-root-certificate-authority-windows-pki/

    If you're going to do this on a Linux box rather than WSL, you can jump to step 5.
    Step 6 would be the KeyVault Cert, and you'd also take an extra step to sign a ClearPass CSR from the Intermediate CA KeyVault CA or a secondary Sub CA cert, possibly one created for use in SSL Decrypt on your paloalto or other SSL traffic inspection device. 
    Be sure to configure your root CRL URL correctly and publish a CRL this is how you'll revoke the sub-CA's if anything happens.
    This can be published from an Azure webpage, but it will have to be public and available to all and you'll be tied to the page as long as you use the certificates.

    ClearPass RADIUS Cert OpenSSL template

    #CA Name 
    # set the subject name for the root certification authority
    #rootcaname=<Your-CA-Name>
    # set the complete URL where the root CA's downloadable certificate will be published
    #rootcaissuerssite=<Public Path to get the Cert>
    RADIUSCertsite=http://<Your FQDN>/<SubDir>/<Root Public Cert File>
    
    [ v3_RADIUScert_kerberos ]
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid:always,issuer
    basicConstraints=critical,CA:false
    keyUsage=critical,digitalSignature, keyEncipherment
    authorityInfoAccess = @v3_RADIUScert_aia
    extendedKeyUsage=serverAuth,clientAuth
    # The subject alternative name extension allows various literal values to be
    # included in the configuration file
    # http://www.openssl.org/docs/apps/x509v3_config.html
    subjectAltName  = IP:<IP Address for SAN>,DNS:<Alternate Name>
    
    [ v3_RADIUScert_aia ]
    caIssuers;URI=$RADIUSCertsite
    


    Be sure to include an extra SAN's IP and DNS or 2 if you plan on adding onto the cluster. 
    openssl ca  -in <ClearPassCSR>.csr  -extensions v3_RADIUScert_kerberos  -days 3652 -out ClearPass.cer

    Also check out Martin Vogwell blog:
    https://thevogtechblog.blogspot.com/2016/12/using-openssl-as-root-ca-for-windows.html 


    And Added bonus
    If you're going to implement LDAPS in AZ DS and need an LDAPS Cert
    https://www.simonscitrix.com/2018/12/how-to-create-client-certificate-for.html 




  • 8.  RE: clearpass ad azure

    Posted Jul 12, 2021 03:39 AM
    HI guys,

    Thank you very much for your feebacks.
    Romeo.

    ------------------------------
    ROMEO VANDEWYNCKEL
    ------------------------------