When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)
I know group memberships and Authorization data is cached, but unsure about passwords.
Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).
It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?
Passwords are not cached. Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.
And I am correct in saying that the password is never exposed during EAP-TLS authentication?
Even on domain windows computers the password is not part of the auth exchange.
There is no password in an EAP-TLS exchange. Correct.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.