Security

last person joined: 10 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass AD caching and EAP-TLS question

Jump to Best Answer
  • 1.  Clearpass AD caching and EAP-TLS question

    Posted Jan 26, 2016 05:14 AM

    When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)

    I know group memberships and Authorization data is cached, but unsure about passwords.

     

    Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).

    It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?



  • 2.  RE: Clearpass AD caching and EAP-TLS question

    Posted Jan 26, 2016 06:58 AM

    Passwords are not cached.  Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.



  • 3.  RE: Clearpass AD caching and EAP-TLS question

    Posted Jan 26, 2016 07:03 AM

    And I am correct in saying that the password is never exposed during EAP-TLS authentication?

    Even on domain windows computers the password is not part of the auth exchange.



  • 4.  RE: Clearpass AD caching and EAP-TLS question
    Best Answer

    Posted Jan 26, 2016 07:12 AM

    There is no password in an EAP-TLS exchange.  Correct.