Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

User authentication with trusted root cert of AD

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  User authentication with trusted root cert of AD

    Posted Feb 19, 2020 08:40 AM

    Dear All, 

    one of my customer require below to achieve. Please advise what steps might be required

     

    1) User will connect from a workgroup machine

    2) User will be part of domain

    3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine

     

    Can it be done using Peap or do i need to use EAP-TLS?



  • 2.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 08:51 AM

    We always recommend to use EAP-TLS, which is more secure compare to EAP-PEAP, it is achievable by EAP-TLS and PEAP as well.

     

     



  • 3.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 09:15 AM

    This can be done with either PEAP/MSCHAP or TLS - though we recommend TLS (PEAP/MSCHAP is too easy to do a MitM and DoS attacks against).

    Assuming the ClearPass RADIUS certificate is signed by the ADCS then if the PC does not have the AD's Root Certificate insalled it "should" reject the request. By default the SSID should have "Validate the server's identity by validating the certificate", if the user has access to this setting they could circumvent this - but most domain PCs users should be hardened so that they cannot edit the SSID details.



  • 4.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 09:25 AM
    Dear dmellor,

    In my case, user is coming from a workgroup machine. So yes they can
    uncheck validate the server identity. Keeping this in mind, is it possible
    to reject the authentication if either the root cert is not installed or if
    validate cert is unchecked?


  • 5.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 09:41 AM

    If client does not have valid third party root CA or internal ADCS root certificate in trust list auth will fail.

     

    You have to add root CA to client trust list for auth to work.

     

    In EAP-PEAP, client has to trust server certificate for authentication to work. If client uncheck validate server certificate still auth will work.

     



  • 6.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 09:45 AM
    So what do i need to configure on Clearpass?


  • 7.  RE: User authentication with trusted root cert of AD



  • 8.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 10:24 AM
    Dear Pavan

    I know how to configure all this. But in order to meet this requirement do
    i need to configure something else also? Or normal 802.1x PEAP setup is
    enough?


  • 9.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 11:09 AM

    EAP-PEAP setup is enough but we recommend EAP-TLS for better security.



  • 10.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 12:43 PM

    Dear Pavan, 

     

    I tried the following but it doesnt work 

    1) Downloaded the root CA of my AD CS

    2) Imported it under Clearpass (Snapshot attached)

    3) Generated CSR and got certificates for Clearpass and installed it (snap attached)

    4) Created a simple 802.1x service (PEAP) that will check if tips assigns [user authenticated] role, it will allow access

    5) Tried connecting from my workgroup machine which DOESNT have AD CS root CA certificate installed

    6) it connects!!

     

    The requirement is, this user shouldnt be able to connect. Any ideas what i am missing? 



  • 11.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 02:39 PM

    Hello Ronin101,

     

    What you tested is 802.1x authentication EAP/PEAP, the authentication worked because, it is a workgroup machine, and it trusts the server certificate installed on the Clearpass or the server cert validation is disabled on the client's 802.1x configuration.(Incase if it does not trust).

     

    Trust list in the Clearpass, does not come in to play for EAP peap, it will be used in Eap TLS, when Clearpass has to check the client certificate.

     

    In EAP Peap, you can only check the server cert's validation on client, if it works, by default the auth will work, if it fails, auth will not work. if you want to stop the clients to be able to check/uncheck the cert validation, you could push a AD group policy to disable that access to client machines.

     

    If you want to perform certain certification checks on the client from Clearpass to perform, authentication you should do EAP TLS.

     

    To sum it all up:

    " for your third requirement:

    3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine "

     

    Is the clearpass server cert signed by "Trusted root CA of AD CS" ? then you can do EAP PEAP, and use the validation option, if not, you need to EAP TLS.

     

    hope this helps..

     

    --

     

     

     

     

     

     

     



  • 12.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 02:48 PM
    Dear Fayyaz

    Just to confirm, if using peap only, there is no way to reject
    client(workgroup) authentication if it doesnt have root ca cert installed
    right?


  • 13.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 02:53 PM

    Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine.

     

    EAP PEAP, will only check if the client trusts the Clearpass's server cert.  it will not check for any other additional certs on clients, you will need to do EAP TLS for that.

     

    --



  • 14.  RE: User authentication with trusted root cert of AD

    Posted Feb 19, 2020 09:11 PM

    Dear Fayyaz,

     

    Need to understand your statement

    "Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine."

     

    In my case, i get a minor warning and then i am able to connect. So auth is not failing in any case if i am using PEAP.



  • 15.  RE: User authentication with trusted root cert of AD

    Posted Feb 20, 2020 04:08 AM

    Are you getting certificate warning ERROR while connecting to SSID?

     

    Does Verify the server's identity is enabled under Ethernet Properties ? We can also  provide list of servers to which client is allowed to connect under "Connect to these servers " option.

     

    If certificate is in trust list of client machine it will allow.

    Capture.PNG

     



  • 16.  RE: User authentication with trusted root cert of AD

    Posted Feb 20, 2020 04:35 AM

    No its not enabled and point is, can authentication FAIL if its "unchecked"? so far info i have gathered, its not possible.

     

    Do you think its possible on workgroup machines without checking validating server identity?



  • 17.  RE: User authentication with trusted root cert of AD
    Best Answer

    Posted Feb 20, 2020 05:40 AM

    If you are using EAP-PEAP then you have to enable server certificate check validity,

     

    Unchecking validity still allows auth to work.



  • 18.  RE: User authentication with trusted root cert of AD

    Posted Feb 20, 2020 05:42 AM

    Dear Pavan,

     

    As a side note, do you have any idea how to import/install user certificate from AD CS on workgroup machines?



  • 19.  RE: User authentication with trusted root cert of AD