Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Help me figure out to classify requests to these services with different EAP-TLS Methods?

  • 1.  Help me figure out to classify requests to these services with different EAP-TLS Methods?

    Posted May 28, 2020 11:09 PM

    I want to have 2 services that I'm having trouble figuring out how to classify the incoming requests to a service.

     

    The called-station SSID is the same, the NAD IP and SSID etc are the same, so I am finding it difficult to classify the service.

     

    The only difference between the services (why I need 2) will be that one uses the standard EAP-TLS method and the other uses a custom EAP-TLS method with "Authorization Required" unticked. This custom one is used to authenticate clients against Microsoft InTune as shown by Mitchell in this YouTube video. I tried adding both EAP-TLS methods to the same Service but got an error.

     

    So in total I will have 3 types of devices connecting to this same SSID on same NAD:

    Service #1

    1. AD-managed device with username authentication against EAP-MSCHAPv2 and Active Directory as source

    2. AD-managed device with certificate authentication against normal EAP-TLS and Active Directory as source

    Service #2

    3. InTune managed device with Intune Extension authentication against special EAP-TLS with "Authorization Required" unticked.

     

    The way I have things set up currently I don't think I will ever see the request just 'fail-through' and match the next service in the list, because it is matching the first service despite the wrong Authentication Method.

     

    Any ideas are welcome.

     



  • 2.  RE: Help me figure out to classify requests to these services with different EAP-TLS Methods?

    Posted May 28, 2020 11:55 PM

    Use a single service with PEAPv0/EAP-MSCHAPv2 and EAP-TLS with authorization disabled and handle any authorization logic in your enforcement policy. 



  • 3.  RE: Help me figure out to classify requests to these services with different EAP-TLS Methods?

    Posted Jun 02, 2020 12:43 AM

    Thanks I will try this and report back here.