We have ClearPass 6.7.9 and I have completed around 90% of the configuration but I can't get the user authentication working. We want to have a single SSID with EAP-TLS utilising an internal CA for domain computers and PEAP MSCHAPv2 utiliising a public CA certificate for non-domain computers.
We have the computer authentication using the same internal CA working perfectly.
We imported the COMODO certificate into ClearPass but in the (user authentication) service there is only a single drop-down menu to select the certificate. How do I specify that the internal CA certificate should be used for EAP-TLS and the COMODO certificate should be used for PEAP MSCHAPv2?
If a create two user authentication services (one for EAP-TLS and one for PEAP MSCHAPv2) the user authentication request is always matched against the first service - EAP-TLS in our testing. The authentication request for non-domain computers utilising PEAP MSCHAPv2 would then be rejected with "EAP: Client doesn't support configured EAP methods". I can't use the "Authentication:OuterMethod" attribute to separate the requests as it is always "EAP".
Any assistance would be greatly appreciated.
To use a single certificate would require a reduction in security. We either use a public CA certificate for EAP-TLS, which is not recommended, or import the domain CA root/intermediate certificates onto third party clients, which is also not recommended.
Other AAA servers, including Microsoft's free NPS service, support this configuration. Surely ClearPass can be configured for this configuration.
The customer's security policy requires all domain computers to authenticate using their domain CA. This leaves me "in a pickle" when it comes to authenticating contractors, who really act as full time staff members, but utilise their own laptops.
We currently use Microsoft NPS with the "Allowed EAP Type" condition to separate the EAP-TLS and PEAP MSCHAPv2 authentication types.
If ClearPass is not capable of supporting this we may just return it and keep the NPS AAA service.
Tim, thanks for your help with this.
So you are saying that the service certificate assigned to the user authentication service should be signed by a public CA so both domain computers (EAP-TLS) and non-domain computers (PEAP MSCHAPv2) will trust it? The domain computers will continue to use the certificates signed by the domain CA independent of ClearPass while the non-domain computers will utilise the service certificate for phase 1 of PEAP.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.