Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Distributed Deployment

  • 1.  Distributed Deployment

    Posted Aug 29, 2017 05:17 AM

    Hi Experts,

    My CPPM nodes will be deployed as a distributed deployment design. In this design, we need to have certificate for each nodes right or we can just use wildcard certificate for the clustering?

    Thanks



  • 2.  RE: Distributed Deployment

    Posted Aug 29, 2017 07:19 AM
    For HTTPs, you can use a single certificate with SANs, individual certs or a wildcard cert.

    For EAP, you'd use a single generic certificate across the whole cluster.


  • 3.  RE: Distributed Deployment

    Posted Aug 29, 2017 08:43 AM

    Hi cappalli,

    Thanks for the feedback but what do you mean for EAP I should use generic certificate across the deployment?

    I still need to manually import those in each nodes right?

    Thanks



  • 4.  RE: Distributed Deployment

    Posted Aug 29, 2017 08:47 AM

    Yes, you'll still need to import it, but you should use the same certificate for EAP across the whole cluster. Something generic (networklogin.domain.xyz, clearpass.domain.xyz, secureauth.domain.xyz, etc)



  • 5.  RE: Distributed Deployment

    Posted Aug 29, 2017 09:32 AM

    Hi cappalli,

    Thanks for the feedback.

    In addition to this concern, is it possible in ClearPass to do EAP-Chaining so that it will check machine auth and user auth before giving access to the endpoint?

    Technically, in my endpoint it has machine certificate and user certificate right?

    Thanks



  • 6.  RE: Distributed Deployment

    Posted Aug 29, 2017 09:51 AM

    EAP-chaining is a Cisco proprietary method that requires client software on the device.

     

    ClearPass uses native Computer + User authentication that's baked into Windows.



  • 7.  RE: Distributed Deployment

    Posted Aug 29, 2017 10:08 AM

    Hi cappalli,

    How can I do that in ClearPass the one that you are talking about?

    Thanks.



  • 8.  RE: Distributed Deployment

    Posted Aug 29, 2017 10:11 AM

    You may want to work with your Aruba partner. 802.1X needs to be carefully planned out to be succesful.

     

    ClearPass will automatically tag the authentication with [Machine Authenticated] when the computer account is used and [User Authenticated] when the user account is used. You can write a rule that checks for both of them. You also need to be sure the supplicant is configured correctly via group policy.



  • 9.  RE: Distributed Deployment

    Posted Aug 29, 2017 11:01 AM

    Hi cappalli,

    But this machine and user authentication can come from the machine cert and user cert right?

    Thanks



  • 10.  RE: Distributed Deployment

    Posted Aug 29, 2017 11:07 AM
    Yes, although using EAP-TLS on shared machines with computer + user is not recommended as the user certificate has to be downloaded into the local user store prior to authentication which creates a race condition.


  • 11.  RE: Distributed Deployment

    Posted Aug 21, 2018 05:32 AM

    Hi Tim,

    what if we use onguard to bounce session (maybe delayed) and give user time to get cert via GPO.

    I think that if network profile is set to authenticate user or machine, if user is first time logged (don't have cert), it simpli won't do user autentication, it will only be machine authenticated. It get cert via GPO, onguard bounce sessin and in second atempt user is authenticated with cert it just got.

    Will that do the trick, and is this valid design?