Security

last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS device authentication with unicity certificate check by CPPM

This thread has been viewed 44 times
  • 1.  EAP-TLS device authentication with unicity certificate check by CPPM

    Posted May 26, 2021 06:59 PM
    Hi,
    I am phasing with a design making use of EAP-TLS.
    Devices are off-line certified, not by the Clearpass.
    I wish to configure an Insight SQL filter query suitable to check the unicity of the device's certificate by means of the CN.
    The behaviour should be: if the 'CN' of the authenticating device still exist in the Insight, then deny access.

    Can, please anybody support or share his/her experience?
    Thanks in advance

    Luigi

    PS: I tried with this filter query:

    select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:CN}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now()
    Not working


    ------------------------------
    Luigi Panico
    ------------------------------


  • 2.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted May 27, 2021 04:46 AM
    I think you're trying to identify that a certificate is only being used by one device?

    If this is the case then you are highly likely to have issues with devices that have both wired and wireless interfaces doing TLS.

    Irrespective, looking at your SQL the bit I don't understand is the "and updated_at > now()" that scenario is never going to occur. I think you want to backdate by a period of time, ie updated_at > (now() - interval '1' month).

    ------------------------------
    Derin Mellor
    ------------------------------



  • 3.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted May 27, 2021 05:30 AM
    Thanks Darin, 
    - let us assume TLS auth devices be wired only, at this time.
    - on the period, you are right. It should be (for example)

    timestamp between (now() - interval '12 hours') and now() order by timestamp limit 1;

    My concern is on the syntax of the sql query to do the check on the subject-CN

    Luigi

    ------------------------------
    Luigi Panico
    ------------------------------



  • 4.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted May 27, 2021 07:51 AM
    You need to explicitly look at the AccessTracker-->Input-->Computed Attributes and pick out the best Certificate details. You will then use this direct is the SQL.

    I quickly looked in my environment and the user login reports the Certificate:Subject-CN=Users,<username>
    Looks like you really need the Certificate:Subject-emailAddress=<username>@<domain>. Hence to use this in the SQL I'd use  username=%{Certificate:Subject-emailAddress}

    However, I notice that with my machine login there is no Certificate:Subject-emailAddress or even Certificate:Subject-CN. The best my environment has is the Certificate:Subject-AltName-DNS=<hostname>.<domain>. But hopefully this is important.


    ------------------------------
    Derin Mellor
    ------------------------------



  • 5.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 01, 2021 04:47 AM
    Hi Derin.
    Still not working
    ------------------------------------------------
    For "MAC or credentials unicity", I have this filter which works well:

    select
    CASE
    WHEN mac ='%{Connection:Client-Mac-Address-NoDelim}' THEN 'true'
    WHEN mac IS NULL THEN 'true'
    ELSE 'false'
    END as Device_Allowed
    from auth where username='%{Authentication:Username}' and error_code=0 and timestamp between (now() - interval '10 years') and now() order by timestamp limit 1;
    ---------------------------------------------------
    for TLS device cert unicity, I tried some of the possibilities you envisage, like:

    select
    CASE
    as Device_Allowed
    WHEN username='%{Certificate:Subject-CN}' and error_code=0 and timestamp between (now() - interval '10 years') and now() order by timestamp limit 1 THEN 'true'
    ELSE 'false';

    Not working. 
    My CPPM is not joined to any domain.

    Pls any idea?

    Thanks a lot.


    Luigi


    ------------------------------
    Luigi Panico
    ------------------------------



  • 6.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 01, 2021 05:07 AM

    Luigi,

     

    What is being reported in the AccessTracker Event'sàInputàComputed Attributes details?

     

    Regards Derin

    Principle ClearPass Engineer

     

    Blue Sky Systems Limited

     

    Tel: 03300 101 550

    DDI: 03300 101 474

    Mobile: 07749 100 180

    Email: derin.mellor@blueskysystems.com

    Web: www.blueskysystems.co.uk

     

    Registered in England No: 8856125

    Registered Office: Dorset House, Regent Park, 297-299 Kingston Road, Leatherhead, KT22 7PL

     

     

     






  • 7.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 01, 2021 09:27 AM
      |   view attached
    Derin, please find all attributes in the attachment

    ------------------------------
    Luigi Panico
    ------------------------------

    Attachment(s)

    docx
    IFDC-44.docx   172 KB 1 version


  • 8.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 01, 2021 09:41 AM
    Looking at this the certificate information is held in the variable '%{Certificate:Subject-CN}'
    Hence, based on your original SQL I would expect it to look like:
    SELECT COUNT(DISTINCT calling_station_id) AS activesessions
    FROM radius_acct
    WHERE end_time is null AND username='%{Certificate:Subject-CN}'
    AND calling_station_id!='%{Connection:Client-Mac-Address-NoDelim}'
    AND updated_at > NOW()-internval '1' hour);

    ------------------------------
    Derin Mellor
    ------------------------------



  • 9.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 06, 2021 10:20 AM
    ciao Derin,
    great! the filter is ok, configured.
    also configured the policy enforcement condition to verify "activesessions" value doe not exceed '1'. But it doesn't work.
    CoA port is enabled through firewall.
    It looks like the CPPM be not checking the active sessions.

    any further idea?
    thanks B. R. 
    Luigi

    ------------------------------
    Luigi Panico
    ------------------------------



  • 10.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 06, 2021 04:48 PM

    Luigi,

     

    I assume CoA works? If not this obviously has to be fixed.

     

    I'm on holiday for the next week so won't be able to follow up.

     

    Regards Derin

    Principle ClearPass Engineer

     

    Blue Sky Systems Limited

     

    Tel: 03300 101 550

    DDI: 03300 101 474

    Mobile: 07749 100 180

    Email: derin.mellor@blueskysystems.com

    Web: www.blueskysystems.co.uk

     

    Registered in England No: 8856125

    Registered Office: Dorset House, Regent Park, 297-299 Kingston Road, Leatherhead, KT22 7PL

     

     

     






  • 11.  RE: EAP-TLS device authentication with unicity certificate check by CPPM

    Posted Jun 22, 2021 12:50 PM
    dear Derin, 
    only to inform that CoA debug not yet started. Asap I'll give you feedback (at the moment, only CoA CallingSationIUD attribute is included; I think furtther ones, dealing with session needed to be added ... rigth?)

    ------------------------------
    Luigi Panico
    ------------------------------