Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Service config for EAP-TLS with external certificate provider (MDM)

Jump to Best Answer
  • 1.  Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 04, 2014 07:30 PM

    I've been unable to find this in any of the CP docs.

     

    Assume I have MobileIron as an endpoint server and endpoints in the repository. Do I just need a single service with auth method EAP-TLS and auth source Endpoints Repository or is there more to it?

     

     

     



  • 2.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 04, 2014 07:33 PM
    Did you look in the mom doc on the support site.


  • 3.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 04, 2014 07:36 PM

    This one? TechNote_ClearPass_MDM_Integration_V2 

     

    Yes, used it get CP and MDM talking, but no mention of the required service config.

     

     



  • 4.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 04, 2014 07:39 PM
    Yes. OK I will post some example later tonight. I currently don't have access to my lab


  • 5.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 04, 2014 11:35 PM

    Here is an example of what I have running in my lab.

     

    Couple things

    1.      I sync with my MobileIron server and get information about my devices.
    2.      You do not have to sync with your MDM but it gives you more flexibility.
    3.      You can set your services just like you would a normal TLS you just need to

         A. Add the root cert of the server that is signing the devices TLS cert
         B. Allow OCSP to the server that is signing the certs if the device will check to see if the cert is revoked or deleted

     

     4.    I'm only checking Employee and Staff users in AD devices for MDM that is why the Students are different.

     

    5. In CPPM 6.4 you can even send a Message to the mobile deivice through you enforcement profile and it will send it to Mobileiron via clearpass exchange.

     

     Screen Shot 2014-09-04 at 10.14.51 PM.png

     

    Service explanation

    1.      This will check to see if the cert will expire within the next week and send the user to the onboarding page or MDM
    2.      Looking at the information being pulled down from the MDM and seeing if it is Rooted or Jailbroken.
    3.      Same as 2 but seeing if I'm running an app that is not approved like games or separate email program.
    4.      Breakdown

         A. Is the user in the employee group in my AD
         B. Did the device authenticate with TLS
         C. Is it not a device that can be MDM managed (laptop, Desktop, ETC)

     

    5.     Breakdown

        A. Is the user in the employee group in my AD
        B. Did the device authenticate with TLS
        C. Is the device Rooted or Jailbroken
        D. Is the device managed by MDM

     

     6.   Is it an employee in AD and isn’t managed by MDM or have a TLS cert

     7.   Same as 4 but for Staff Users in AD
     8.   Same as 5 but for Staff Users in AD
     9.   Same as 6 but for Staff Users in AD
     10. Is a student and authenticates with a TLS cert
     11. Same as 6 but for Students users in AD

     

     

     

    Endpoint Screen Shot

     

    Screen Shot 2014-09-04 at 10.29.28 PM.png



  • 6.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 12:05 AM

    Thanks Troy, kudos for you.

    Can you post your Authentication tab for this service?



  • 7.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 12:09 AM

    Screen Shot 2014-09-04 at 11.06.33 PM.png

     

    Screen Shot 2014-09-04 at 11.06.52 PM.png



  • 8.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 01:31 AM

    So still a bit unsure of the minimum required auth source here.

    Is it the Onboard Devices Repo? I assumed this was only use with Onboard not an an MDM.



  • 9.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 01:33 AM

    you only need your AD to auth the user



  • 10.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 07:07 AM

    Troy,

     

    Could you provide the screenshot for Employee-ExpireCert Profile please?



  • 11.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 05, 2014 07:42 AM


  • 12.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 09, 2014 08:51 PM

    So this is a pretty basic question I realise, but why would AD be involved in authentication?

     

    I would have thought the certificate itself is the authentication if it is signed correctly. Perhaps some attributes of the cert can be accessed and queried in AD but this would be an authorisation function.



  • 13.  RE: Service config for EAP-TLS with external certificate provider (MDM)
    Best Answer

    Posted Sep 09, 2014 11:49 PM

    All the certificate is, is a means to securely present your user credentials. You will still need the AD to authenticate the username that is presented by the cert. 



  • 14.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 03:02 AM

    Thanks Troy,

     

    It wasn't initially clear how this worked, but after a couple of days in the lab it makes sense.

    I took the MDM out of the equation and just focused on the CA. The bit that was missing from my understanding is how (in an MS environment) the certificate is issued to a domain member and clearpass uses the UserDN to auth - whether it's a User or Computer.

     

    Still a couple of issues, but I will post separate if needed.

     

    cheers



  • 15.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 08:46 PM

    @tarnold wrote:

    All the certificate is, is a means to securely present your user credentials. You will still need the AD to authenticate the username that is presented by the cert. 


    Hi Troy,

     

    Would it be fair to say that the certificate itself is a credential? My customer only uses machine certificates and therefore the AD lookup is disabled. CPPM is not configured in any way to communicate with AD.

     

    If the machine presents a valid and trusted cert, then they can connect.

     

    Regards

     

    Chris

     

     

     

     



  • 16.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 08:48 PM
    Yes

    Common name = identity (username)
    Certificate crypto = credential (password)


  • 17.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 09:02 PM

     

    > Would it be fair to say that the certificate itself is a credential? My customer only uses

    > machine certificates and therefore the AD lookup is disabled. CPPM is not configured in

    > any way to communicate with AD.

     

    Chris, absolutely.

     

    To split hairs about it, the AD part of the authentication is actually step 2.

     

    Step 1 of the authentication is the fact you accepted the certificate. By defintion a message that can be decrypted with a public key must have been encrypted by whomever had the private key. If you can read the message and you trust the CA of the cert you've already authenticated them.

     

    Step 2 is authenticating an attribute of the cert against AD. Depending on the context this could be considered authorization not authentication. For example if you want to allow any cert on the network but apply a special role to certs belonging to AD users.

     

    The clearpass way of doing things doesn't makes these distinctions clear. For example it would make sense  to have an authentication source that is a list of trusted CAs for this service. Instead there is a global trust list and an implicit authentication of the cert.

     

    So Chris what are you using as an authentication source for your service, given you have to have something in there?



  • 18.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 09:24 PM

    Hey,

     

    Yes, I guess I would consider the AD integration part to be "Authorisation". As you are using an attribute to make a policy decision, post authentication.

     

    If I recall correctly, I found that I had to modify the default EAP-TLS 'Authenticaton Method' and untick 'Authorisation'. This allowed me to have NO Authentication Source in the service. 

     

    I struggled with this for a while.

     

    The customer only needed basic authenitcation, no authorisation. If you have a valid cert then you can connect.

     

    I know it works on both wireless and wired dot1x, I often see some strange clent certificates from non SOE devices that are presented to CPPM, these are denied auth (which is to be expected).

     



  • 19.  RE: Service config for EAP-TLS with external certificate provider (MDM)

    Posted Sep 12, 2014 09:37 PM

    > If I recall correctly, I found that I had to modify the default EAP-TLS 'Authenticaton Method' and

    > untick 'Authorisation'. This allowed me to have NO Authentication Source in the service. 

     

    Wow, disable authorisation to allow basic authentication, that is confusing. It is kind of an admission that the AD part is authorisation though :)

     

     

    >The customer only needed basic authenitcation, no authorisation. If you have a valid cert then you can connect.

     

    Great, hopefully this thread helps someone who needs the same. Again this would make more sense if the CA trust list was an authentication source.