Security

Hello,

I'm starting with clearpass and I want to do a very simple setup that authenticates the voice IP phones and hosts and adds them to the corresponding VLAN. If the host does not exist in the AD, it leaves it in a quarantine Vlan.
The problem is that we do not have the CA role implemented in the domain.
My question is if you can do that host authentication in the AD without using certificates or using the certificate "for example from the antivirus" that the hosts already have.

Thank you very much

------------------------------
Angel Valcarce
------------------------------

Hi Angel,

The use of certificates for authentication will be determined by the Authentication method being used by the hosts. If the host is configured for EAP-PEAP it will not use a certificate even if it has one.
And authenticate the user using EAP-PEAP ( username/password ) hosts must existing on AD, and CPPM should be joined to the Domain. Here in this workflow, it's not required to have a CA role on AD.

However, if the hosts are set up to use EAP-TLS then at least one valid client certificate has to be present in the host personal store. ( The certificate can be issued by any CA authority be it AD or Antivirus vendor ) as long as the Issuer of the certificate is present in ClearPass Trust List.
Here, we do have an option that can authenticate the user even when the user is not present in AD as long as a valid certificate is used during authentication.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software
------------------------------

Original Message:
Sent: Sep 14, 2021 10:10 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hello,

I'm starting with clearpass and I want to do a very simple setup that authenticates the voice IP phones and hosts and adds them to the corresponding VLAN. If the host does not exist in the AD, it leaves it in a quarantine Vlan.The problem is that we do not have the CA role implemented in the domain.My question is if you can do that host authentication in the AD without using certificates or using the certificate "for example from the antivirus" that the hosts already have.Thank you very much

------------------------------
Angel Valcarce
------------------------------

Thank you very much for your reply.
The question that comes to me is because with EAP-PEAP authentication it gave me a certificate error.


In order for it to work, I had to disable the option on the host to verify the identity of the server by validating the certificate. With that it already authenticates me although I don't know if doing it this way is the right thing to do.


Thank you

------------------------------
Angel Valcarce
------------------------------

Original Message:
Sent: Sep 14, 2021 09:25 PM
From: Sandeep Yadav
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hi Angel,

The use of certificates for authentication will be determined by the Authentication method being used by the hosts. If the host is configured for EAP-PEAP it will not use a certificate even if it has one.
And authenticate the user using EAP-PEAP ( username/password ) hosts must existing on AD, and CPPM should be joined to the Domain. Here in this workflow, it's not required to have a CA role on AD.

However, if the hosts are set up to use EAP-TLS then at least one valid client certificate has to be present in the host personal store. ( The certificate can be issued by any CA authority be it AD or Antivirus vendor ) as long as the Issuer of the certificate is present in ClearPass Trust List.
Here, we do have an option that can authenticate the user even when the user is not present in AD as long as a valid certificate is used during authentication.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software

Original Message:
Sent: Sep 14, 2021 10:10 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hello,

I'm starting with clearpass and I want to do a very simple setup that authenticates the voice IP phones and hosts and adds them to the corresponding VLAN. If the host does not exist in the AD, it leaves it in a quarantine Vlan.The problem is that we do not have the CA role implemented in the domain.My question is if you can do that host authentication in the AD without using certificates or using the certificate "for example from the antivirus" that the hosts already have.Thank you very much

------------------------------
Angel Valcarce
------------------------------

Ok, this message is telling that the client does not trust the ClearPass RADIUS/EAP server certificate. Have you installed your own RADIUS/EAP server certificate on ClearPass?

It's best to work with your Aruba partner, as getting the certificates right may be confusing for many people, but it is important to do this right.

With the current setting (do not validate certificate), you configured your client to give out the AD credentials to anyone asking for it. The use of PEAP is strongly deprecated because the underlying MSCHAPv2 has been seriously broken, and if a user is tricked to authenticate to a rogue/hostile network, your username and password should be considered exposed. In practice, you can't make PEAP (with passwords) secure, unless you have full control over your clients, like with AD Group Policies or Device Management.

And if you have GPO or Device Management, go for EAP-TLS and enroll client certificates (or use client certificates if these are already rolled out to your clients).

As there is a big impact of making the wrong decision, in this forum I can do nothing else than warn against the use of PEAP-MSCHAPv2 (or any password-based authentication with 802.1X). In the ClearPass Workshop Series on Youtube, there is some explanation as well on the use of client and EAP Server certificates.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 15, 2021 04:11 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Thank you very much for your reply.
The question that comes to me is because with EAP-PEAP authentication it gave me a certificate error.

In order for it to work, I had to disable the option on the host to verify the identity of the server by validating the certificate. With that it already authenticates me although I don't know if doing it this way is the right thing to do.

Thank you

------------------------------
Angel Valcarce

Original Message:
Sent: Sep 14, 2021 09:25 PM
From: Sandeep Yadav
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hi Angel,

The use of certificates for authentication will be determined by the Authentication method being used by the hosts. If the host is configured for EAP-PEAP it will not use a certificate even if it has one.
And authenticate the user using EAP-PEAP ( username/password ) hosts must existing on AD, and CPPM should be joined to the Domain. Here in this workflow, it's not required to have a CA role on AD.

However, if the hosts are set up to use EAP-TLS then at least one valid client certificate has to be present in the host personal store. ( The certificate can be issued by any CA authority be it AD or Antivirus vendor ) as long as the Issuer of the certificate is present in ClearPass Trust List.
Here, we do have an option that can authenticate the user even when the user is not present in AD as long as a valid certificate is used during authentication.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software

Original Message:
Sent: Sep 14, 2021 10:10 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hello,

I'm starting with clearpass and I want to do a very simple setup that authenticates the voice IP phones and hosts and adds them to the corresponding VLAN. If the host does not exist in the AD, it leaves it in a quarantine Vlan.The problem is that we do not have the CA role implemented in the domain.My question is if you can do that host authentication in the AD without using certificates or using the certificate "for example from the antivirus" that the hosts already have.Thank you very much

------------------------------
Angel Valcarce
------------------------------

Understood, we will make the decision to install CA Domain.
Thank you very much for your help and congratulations for the videos.

------------------------------
Angel Valcarce
------------------------------

Original Message:
Sent: Sep 15, 2021 04:59 AM
From: Herman Robers
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Ok, this message is telling that the client does not trust the ClearPass RADIUS/EAP server certificate. Have you installed your own RADIUS/EAP server certificate on ClearPass?

It's best to work with your Aruba partner, as getting the certificates right may be confusing for many people, but it is important to do this right.

With the current setting (do not validate certificate), you configured your client to give out the AD credentials to anyone asking for it. The use of PEAP is strongly deprecated because the underlying MSCHAPv2 has been seriously broken, and if a user is tricked to authenticate to a rogue/hostile network, your username and password should be considered exposed. In practice, you can't make PEAP (with passwords) secure, unless you have full control over your clients, like with AD Group Policies or Device Management.

And if you have GPO or Device Management, go for EAP-TLS and enroll client certificates (or use client certificates if these are already rolled out to your clients).

As there is a big impact of making the wrong decision, in this forum I can do nothing else than warn against the use of PEAP-MSCHAPv2 (or any password-based authentication with 802.1X). In the ClearPass Workshop Series on Youtube, there is some explanation as well on the use of client and EAP Server certificates.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 04:11 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Thank you very much for your reply.
The question that comes to me is because with EAP-PEAP authentication it gave me a certificate error.

In order for it to work, I had to disable the option on the host to verify the identity of the server by validating the certificate. With that it already authenticates me although I don't know if doing it this way is the right thing to do.

Thank you

------------------------------
Angel Valcarce

Original Message:
Sent: Sep 14, 2021 09:25 PM
From: Sandeep Yadav
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hi Angel,

The use of certificates for authentication will be determined by the Authentication method being used by the hosts. If the host is configured for EAP-PEAP it will not use a certificate even if it has one.
And authenticate the user using EAP-PEAP ( username/password ) hosts must existing on AD, and CPPM should be joined to the Domain. Here in this workflow, it's not required to have a CA role on AD.

However, if the hosts are set up to use EAP-TLS then at least one valid client certificate has to be present in the host personal store. ( The certificate can be issued by any CA authority be it AD or Antivirus vendor ) as long as the Issuer of the certificate is present in ClearPass Trust List.
Here, we do have an option that can authenticate the user even when the user is not present in AD as long as a valid certificate is used during authentication.

------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software

Original Message:
Sent: Sep 14, 2021 10:10 AM
From: Angel Valcarce
Subject: Clearpass wired 802.1x authentication no role CA in Domain

Hello,

I'm starting with clearpass and I want to do a very simple setup that authenticates the voice IP phones and hosts and adds them to the corresponding VLAN. If the host does not exist in the AD, it leaves it in a quarantine Vlan.The problem is that we do not have the CA role implemented in the domain.My question is if you can do that host authentication in the AD without using certificates or using the certificate "for example from the antivirus" that the hosts already have.Thank you very much

------------------------------
Angel Valcarce
------------------------------