Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

802.1X Authentication Using ldap server certificates with ClearPass.

This thread has been viewed 23 times
  • 1.  802.1X Authentication Using ldap server certificates with ClearPass.

    Posted Mar 02, 2024 01:46 AM

    Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

    The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.



  • 2.  RE: 802.1X Authentication Using ldap server certificates with ClearPass.

    EMPLOYEE
    Posted Mar 02, 2024 10:22 AM

    This is not primarily related to the LDAP server certificate. There is communication between the client <> clearpass. And clearpass <> LDAP server.

    The communication between ClearPass and the LDAP server is encrypted using LDAPS (or start TLS). This is not something configured at the client.

    The ClearPass RADIUS server certificate is used from the ClearPass server to the client during authentication. Depending on the configuration in ClearPass the client is required to present a certificate. (methods could be EAP-TLS, TEAP, EAP-TTLS and even EAP-PEAP (without username/password but with certificates).
    The ClearPass RADIUS server certificate needs to be trusted at the client. 

    If the client is going to present a certificate, the certificate is validated by ClearPass using the certificate trust list + certificate validation (OCSP/CRL). If needed LDAP will be used for authorisation. 

    It is recommended to generate an unique client certificate. And yes, the ClearPass RADIUS Root certificate needs to be trusted at the clients.  



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ------------------------------



  • 3.  RE: 802.1X Authentication Using ldap server certificates with ClearPass.

    Posted Mar 02, 2024 10:50 AM

    Soo for 802.1x configuration is it required to join the client device to the domain or there is other way to configure 802.1x without joining clients devices to the domain controller? What we really want to achieve is users BYOD devices will be reject to connect to that ssid even they will use there  domain controller credentials when they try to authenticate using there BYOD devices.




  • 4.  RE: 802.1X Authentication Using ldap server certificates with ClearPass.

    EMPLOYEE
    Posted Mar 02, 2024 01:59 PM

    It is not required for 802.1x to join the domain. Nowadays more and more devices are managed using platforms like Intune and not even part of the domain. There are multiple ways to reject BYOD devices. Most simple is, use certificate based authentication. Deploy certificates to the managed devices and use this for authentication.

    Other option can be, use computer authentication and in ClearPass build a policy to just allow computer accounts to authenticate on the network. 

    I would recommended, use certificates. Most secure and an easy way to achieve this.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ------------------------------



  • 5.  RE: 802.1X Authentication Using ldap server certificates with ClearPass.

    Posted Mar 02, 2024 02:16 PM

    I will try this setup since this is what clients want to achieve. Please correct me if im on the same page,

    I will generate a certificate in my ldap server abd load it to clearpass under cert store/trust list and that certificate will be used also into devices laptop by installing it manually?




  • 6.  RE: 802.1X Authentication Using ldap server certificates with ClearPass.

    EMPLOYEE
    Posted Mar 02, 2024 02:21 PM

    Per client you need an unique certificate which is signed by the company PKI. 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------