Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

This thread has been viewed 8 times

  • 1.  User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    Posted May 02, 2019 08:54 PM

    We have ClearPass 6.7.9 and I have completed around 90% of the configuration but I can't get the user authentication working.  We want to have a single SSID with EAP-TLS utilising an internal CA for domain computers and PEAP MSCHAPv2 utiliising a public CA certificate for non-domain computers.

     

    We have the computer authentication using the same internal CA working perfectly.

     

    We imported the COMODO certificate into ClearPass but in the (user authentication) service there is only a single drop-down menu to select the certificate.  How do I specify that the internal CA certificate should be used for EAP-TLS and the COMODO certificate should be used for PEAP MSCHAPv2?

     

    If a create two user authentication services (one for EAP-TLS and one for PEAP MSCHAPv2) the user authentication request is always matched against the first service - EAP-TLS in our testing.  The authentication request for non-domain computers utilising PEAP MSCHAPv2 would then be rejected with "EAP: Client doesn't support configured EAP methods".  I can't use the "Authentication:OuterMethod" attribute to separate the requests as it is always "EAP".

     

    Any assistance would be greatly appreciated.



  • 2.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    EMPLOYEE
    Posted May 03, 2019 12:19 AM
    You don’t. Both sets of clients need to be configured to trust the same EAP server certificate.


  • 3.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    Posted May 03, 2019 05:28 PM

    To use a single certificate would require a reduction in security.  We either use a public CA certificate for EAP-TLS, which is not recommended, or import the domain CA root/intermediate certificates onto third party clients, which is also not recommended.

     

    Other AAA servers, including Microsoft's free NPS service, support this configuration.  Surely ClearPass can be configured for this configuration.



  • 4.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    EMPLOYEE
    Posted May 03, 2019 05:31 PM
    There is zero difference in security level with regard to the EAP server certificate issuer.


  • 5.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    Posted May 03, 2019 05:39 PM

    The customer's security policy requires all domain computers to authenticate using their domain CA.  This leaves me "in a pickle" when it comes to authenticating contractors, who really act as full time staff members, but utilise their own laptops.

     

    We currently use Microsoft NPS with the "Allowed EAP Type" condition to separate the EAP-TLS and PEAP MSCHAPv2 authentication types.

     

    If ClearPass is not capable of supporting this we may just return it and keep the NPS AAA service.



  • 6.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    EMPLOYEE
    Posted May 03, 2019 05:44 PM
    The EAP server certificate has NO relationship to the client certificate used for EAP-TLS.


  • 7.  RE: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

    Posted May 05, 2019 05:26 PM

    Tim, thanks for your help with this.

     

    So you are saying that the service certificate assigned to the user authentication service should be signed by a public CA so both domain computers (EAP-TLS) and non-domain computers (PEAP MSCHAPv2) will trust it?  The domain computers will continue to use the certificates signed by the domain CA independent of ClearPass while the non-domain computers will utilise the service certificate for phase 1 of PEAP.