Security

last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS with IAPs and Clearpass

This thread has been viewed 28 times
  • 1.  EAP-TLS with IAPs and Clearpass

    Posted Sep 23, 2021 11:53 AM
    Hi

    We are deploying EAT-TLS on IAPs managed from Aruba central and Clearpass.

    The configuration of the IAPs is simply WPA2-Enterprise, with Clearpass as the authentication server and no access restrictions. In Clearpass we have configured a service whose authentication method is TLS. We want only the certificate to be used without credentials and not validated against the AD, so we have disabled the option to require authorization, also the certificate comparison and we do not use any authentication source. In clearpass we have an internally signed Radius/EAP certificate.

    The problem is that we don't see anything in the access tracker, the IAP just shows the device without IP and the user doesn't get any error message, he just can't connect. So, after many tests, we believe that the problem may be in the device certificates and be related to the changes that Android has introduced in versions 10 and 11.

    What exactly would the connection flow look like at the certificate level, i.e. which certificate and which CA should have both clearpass and the device? Would some cert be needed in the IAPs?

    We have read that Android does not allow to add certificates from private CAs, if so, can we use our internal certificate?

    Is it possible to use a wildcard user certificate on the device?

    When we try to configure a TLS connection profile in Android we are asked for the CA, the user certificate and the domain, which options should be configured?

    We also see that in Android it is possible to install the certificates in the user area and in the work area, how exactly should it be installed?

    Thank you in advance


  • 2.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 23, 2021 12:16 PM
    If you don't see anything in the Access Tracker, either the request is not reaching ClearPass, or you don't have a matching Network Device (RADIUS client) configured. Do you see errors in the Event Viewer?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 24, 2021 04:13 AM
    Radius client is ok because we have some SSIDs working fine with the same IAPs and Clearpass.

    What errors should we see in the Event Viewer in this case? 

    Any idea about the other questions?




  • 4.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 24, 2021 04:38 AM
    If an authentication request reaches the ClearPass server, you should either see an error in Event Viewer in case you don't have a Network Device configured or a mismatch in the shared secret, or you should see something in Access Tracker. If you don't see the request in either, it is not even reaching the ClearPass and you should check the IAP configuration, there must be something wrong there, which is strange if you have other SSIDs working with ClearPass on the same IAP.

    With Android 10 there should not be changes from before, and you can import a private CA for validation of the RADIUS server certificate. With Android 11 the option to not validate is removed, which means you have to import the root CA.

    As importing root CAs in Android is not something every user will be able to do, it is recommended to use a provisioning tool, like an MDM system for managed devices, or ClearPass OnBoard for non-managed devices, but there are more tools that do the same.

    Is it possible to use a wildcard user certificate on the device?
    Not sure, but you should have unique certificates for each of your devices, otherwise all devices will get the same identity on the network, and if you lose the certificate (key) on one of your devices, you should replace it on all of the devices. In the case you do have the same cert on all devices (strongly deprecated), there is no benefit of having a wildcard.

    When we try to configure a TLS connection profile in Android we are asked for the CA, the user certificate and the domain, which options should be configured?
    CA=the root CA that issued your ClearPass RADIUS/EAP server certificate. This needs to be installed to the device before you can configure the SSID/Network. User Certificate = the User Certificate discussed in the previous question. Domain=the name (CN/SAN) of your ClearPass RADIUS/EAP server certificate.

    We also see that in Android it is possible to install the certificates in the user area and in the work area, how exactly should it be installed?
    Maybe others have a strong opinion about that. I would say for a corporate network, use the work area, and users can use the user area for their own networks. With device management (MDM), it may be that you only control the work area on Android Enterprise/Samsung Knox.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 24, 2021 04:58 AM
    Amazing, thank you so much for the details! Now I have to study everything :)

    One question about Android 11. They have removed the option to not validate but, is it possible to import private root CA too? I have read something about this reporting some problems.

    We are testing now. Finally we have managed to see something in the access tracker. This is the message connecting a Windows 10:

     Alerts for this Request 
    RADIUS Client did not complete EAP transaction




  • 6.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 24, 2021 05:12 AM
    I don't have an Android 11 to test with, from what I heard you can install your own private CA for EAP-TLS and the main change is that 'do not validate' has disappeared, which is a good thing in my opinion and also matches the requirements for WPA3. It just means that the provisioning of devices needs to be done properly and that in many cases requires tooling to make it user-friendly.

    Client did not complete EAP transaction is in most cases an issue with certificate trust/client configuration, or it can be an MTU issue between your switch/AP and ClearPass. What may help is to check the ClearPass Workshop Series, and more specifically the Wireless Access part if you have ClearPass deployed already. The 'easy way' may be to get support from your Aruba Partner or TAC. If you have at least one device operational, it's easier to understand the issues with other devices.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: EAP-TLS with IAPs and Clearpass

    Posted Sep 24, 2021 06:25 AM
    Working in Windows 10!

    Clearpass trusts user certificate and user validates Clearpass certificate trusting Clearpass CA. Besides, we select user and machine authentication with wildcard as user certificate.

    However, Android is still not working properly applying a configuration similar to the one that works in Windows. We select same CA than Clearpass certificate, same wildcard as user certificate and put Clearpass domain, but nothing happens. Device is not able to connect without any error message and we don't see anything in access tracker.

    So it confirms that the problem is how Android understands certificates.