Security

I am enabling Campus AP's for EAP-TLS and using Factory TPM cert. For the Authentication to pass in Clearpass, we need to disable "Authorization Required" in the EAP-TLS Authentication Method. 

I am afraid this will reduce security for other EAP-TLS clients using the same service. Like Windows AD Users for instance. If we disable Authorization and a Users Account is intentionally locked out in AD, the User will still be able to gain access to the network. 

Thoughts on other solutions here? 

Looking at the Cert presented by the AP, the Username is the name of the AP. As a test, we created that Username in the Local User rep in CPPM and added Local rep to the service. This worked. We could then enable Authorization in EAP-TLS. HOwever, we cant possibly created 100's of accounts for this. 

Maybe EST Cert enrollment - This may have same issue, the name in the cert still needs to exist somewhere for Authorization. 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

There is no security concern here. Your APs should be hitting their own service, keyed off the username suffix (which by default is "@aruba.ap" and can be customized).

------------------------------
Tim C
------------------------------

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Philip Wightman
Subject: AP EAP-TLS with TPM - CPPM Authorization

I am enabling Campus AP's for EAP-TLS and using Factory TPM cert. For the Authentication to pass in Clearpass, we need to disable "Authorization Required" in the EAP-TLS Authentication Method. 

I am afraid this will reduce security for other EAP-TLS clients using the same service. Like Windows AD Users for instance. If we disable Authorization and a Users Account is intentionally locked out in AD, the User will still be able to gain access to the network. 

Thoughts on other solutions here? 

Looking at the Cert presented by the AP, the Username is the name of the AP. As a test, we created that Username in the Local User rep in CPPM and added Local rep to the service. This worked. We could then enable Authorization in EAP-TLS. HOwever, we cant possibly created 100's of accounts for this. 

Maybe EST Cert enrollment - This may have same issue, the name in the cert still needs to exist somewhere for Authorization. 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Ahh.. of course! Sometimes simplest solutions are the most elusive. I had considered a separate service but could not think of anything unique to match on. Suffix would do it! Thank you :-)

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Original Message:
Sent: Apr 22, 2021 12:09 PM
From: Tim C
Subject: AP EAP-TLS with TPM - CPPM Authorization

There is no security concern here. Your APs should be hitting their own service, keyed off the username suffix (which by default is "@aruba.ap" and can be customized).

------------------------------
Tim C

Original Message:
Sent: Apr 22, 2021 11:13 AM
From: Philip Wightman
Subject: AP EAP-TLS with TPM - CPPM Authorization

I am enabling Campus AP's for EAP-TLS and using Factory TPM cert. For the Authentication to pass in Clearpass, we need to disable "Authorization Required" in the EAP-TLS Authentication Method. 

I am afraid this will reduce security for other EAP-TLS clients using the same service. Like Windows AD Users for instance. If we disable Authorization and a Users Account is intentionally locked out in AD, the User will still be able to gain access to the network. 

Thoughts on other solutions here? 

Looking at the Cert presented by the AP, the Username is the name of the AP. As a test, we created that Username in the Local User rep in CPPM and added Local rep to the service. This worked. We could then enable Authorization in EAP-TLS. HOwever, we cant possibly created 100's of accounts for this. 

Maybe EST Cert enrollment - This may have same issue, the name in the cert still needs to exist somewhere for Authorization. 

Thanks!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------