Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Why is the role [User Authenticated] applied to a TEAP authentication with no method-2 input?

Jump to Best Answer
This thread has been viewed 16 times
  • 1.  Why is the role [User Authenticated] applied to a TEAP authentication with no method-2 input?

    Posted Nov 10, 2021 08:59 AM
    Hi. 

    I'm facing an issue with the new configuration of TEAP. 
    I have multiple laptops with both machine certificates and user certificates. 

    When the computer start up and is left at the login screen, an authentication to clearpass (through WiFi) is done using TEAP. 
    In this authentication the computer is connecting and authenticating using it's own certificate (TEAP Method-1) and this works well. 
    Credentials for the user is not provided since I want the computer to stay at the login screen. 
    The log from Clearpass access tracker is as follows:
    When the computer is started and left like this and no user credentials is provided, though TEAP-Method-2 should fail. As you can see, even though TEAP-Method-2-Status is Failure, a role named [ User Authenticated ] is applied. This is, according to Aruba TAC, a behavior by design, but the author of this youtube video, @Herman Robers, is showing another behavior. Aruba ClearPass Workshop (2021) - Wireless Access #7 TEAP Authentication (EAP Chaining)

    In this video, the computer is at the login screen and doesn't get the role [ User Authenticated ] , only [ Machine Authenticated ]  and this is the behavior I want to achieve. 

    In step 2, when I login to the computer, a different EAP / Radius session is created in clearpass and now both the Machine certificate and the provides user credentials (with user certificate) is verified using TEAP. At this stage, both TEAP-Method-1 and TEAP-Method-2 is working as it should. See pictures below. 
    The goal is to have the computer at the login screen and only have the role [ Machine Authenticated ], not [ User Authenticated ] as Herman is describing in his video. 

    The supplicant is configured to use EAP Method 1 and Method 2 as Smart Card (Certificate) and not MSCHAPv2. 

    Thank you!


    ------------------------------
    Anton K�llgren
    ------------------------------


  • 2.  RE: Why is the role [User Authenticated] applied to a TEAP authentication with no method-2 input?

    Posted Nov 10, 2021 09:02 AM
    This is a print screen from Hermans video that I want to achieve:


    ------------------------------
    Anton K�llgren
    ------------------------------



  • 3.  RE: Why is the role [User Authenticated] applied to a TEAP authentication with no method-2 input?
    Best Answer

    Posted Nov 22, 2021 03:39 AM
    I have now confirmed that this is a known bug from Aruba with BUG-ID: CP-44417. 
    I will close this thread. 


    ------------------------------
    Anton K�llgren
    ------------------------------