Security

last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

clearpass selects expired certificate to authenticate

  • 1.  clearpass selects expired certificate to authenticate

    Posted Feb 01, 2016 02:52 PM

    I am having devices that all of a sudden will not use NAC and it is under one of two conditions.

    1. If the device has more than one certificate and one of them is not a client auth or doesn't have email as the subject name or

    2. The device has two client auth certificates and one of them is expired.

     

    In both cases there was not an issue for several weeks and then all of a sudden the device stops working.



  • 2.  RE: clearpass selects expired certificate to authenticate

    Posted Feb 01, 2016 02:55 PM
    What operating system? The client selects the certificate, ClearPass just looks at it.


  • 3.  RE: clearpass selects expired certificate to authenticate

    Posted Feb 01, 2016 06:00 PM

    Does it reach Clearpass ? If yes, what is the output of this MAC in the access tracker. 

     

    If it doesn't you might want to look at 802.1X debugging on the controller which you can find in this document under the 802.1X section : http://community.arubanetworks.com/aruba/attachments/aruba/84/106/1/Troubleshooting+Cheat+Sheet-.pdf

     

     

     



  • 4.  RE: clearpass selects expired certificate to authenticate

    Posted Feb 02, 2016 08:13 AM

    The clients are Windows 7

    Yes I understand that the client selects but if the computer has an old Computer Template Certificate all of a sudden clearpass will try and authenticate using that certificate instead of rejecting it and asking for another.  Other uses of certificates don't behave this way they understand a particular certificate is expired and asks for another one.



  • 5.  RE: clearpass selects expired certificate to authenticate

    Posted Feb 02, 2016 08:24 AM
    This isn't a Clearpass specific issue, there is no way for a RADIUS server to achieve this. The RADIUS server will send an access-reject packet since the cert is expired. You will need to work with this issue straight from the CA and AD cert enrollments.


  • 6.  RE: clearpass selects expired certificate to authenticate

    Posted Feb 02, 2016 08:27 AM

    Can you post a screenshot of the authorization and computed sections of the access tracker request?