Wireless Access

Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.

This is not primarily related to the LDAP server certificate. There is communication between the client <> clearpass. And clearpass <> LDAP server.

The communication between ClearPass and the LDAP server is encrypted using LDAPS (or start TLS). This is not something configured at the client.

The ClearPass RADIUS server certificate is used from the ClearPass server to the client during authentication. Depending on the configuration in ClearPass the client is required to present a certificate. (methods could be EAP-TLS, TEAP, EAP-TTLS and even EAP-PEAP (without username/password but with certificates).
The ClearPass RADIUS server certificate needs to be trusted at the client. 

If the client is going to present a certificate, the certificate is validated by ClearPass using the certificate trust list + certificate validation (OCSP/CRL). If needed LDAP will be used for authorisation. 

It is recommended to generate an unique client certificate. And yes, the ClearPass RADIUS Root certificate needs to be trusted at the clients.  

------------------------------
Willem Bargeman
Systems Engineer Aruba

Original Message:
Sent: Mar 02, 2024 01:45 AM
From: ajorigenes17
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.

Soo for 802.1x configuration is it required to join the client device to the domain or there is other way to configure 802.1x without joining clients devices to the domain controller? What we really want to achieve is users BYOD devices will be reject to connect to that ssid even they will use there  domain controller credentials when they try to authenticate using there BYOD devices.

Original Message:
Sent: Mar 02, 2024 10:21 AM
From: Aruba WB
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

This is not primarily related to the LDAP server certificate. There is communication between the client <> clearpass. And clearpass <> LDAP server.

The communication between ClearPass and the LDAP server is encrypted using LDAPS (or start TLS). This is not something configured at the client.

The ClearPass RADIUS server certificate is used from the ClearPass server to the client during authentication. Depending on the configuration in ClearPass the client is required to present a certificate. (methods could be EAP-TLS, TEAP, EAP-TTLS and even EAP-PEAP (without username/password but with certificates).
The ClearPass RADIUS server certificate needs to be trusted at the client. 

If the client is going to present a certificate, the certificate is validated by ClearPass using the certificate trust list + certificate validation (OCSP/CRL). If needed LDAP will be used for authorisation. 

It is recommended to generate an unique client certificate. And yes, the ClearPass RADIUS Root certificate needs to be trusted at the clients.  

------------------------------
Willem Bargeman
Systems Engineer Aruba

Original Message:
Sent: Mar 02, 2024 01:45 AM
From: ajorigenes17
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.

It is not required for 802.1x to join the domain. Nowadays more and more devices are managed using platforms like Intune and not even part of the domain. There are multiple ways to reject BYOD devices. Most simple is, use certificate based authentication. Deploy certificates to the managed devices and use this for authentication.

Other option can be, use computer authentication and in ClearPass build a policy to just allow computer accounts to authenticate on the network. 

I would recommended, use certificates. Most secure and an easy way to achieve this.

Soo for 802.1x configuration is it required to join the client device to the domain or there is other way to configure 802.1x without joining clients devices to the domain controller? What we really want to achieve is users BYOD devices will be reject to connect to that ssid even they will use there  domain controller credentials when they try to authenticate using there BYOD devices.

Original Message:
Sent: Mar 02, 2024 10:21 AM
From: Aruba WB
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

This is not primarily related to the LDAP server certificate. There is communication between the client <> clearpass. And clearpass <> LDAP server.

The communication between ClearPass and the LDAP server is encrypted using LDAPS (or start TLS). This is not something configured at the client.

The ClearPass RADIUS server certificate is used from the ClearPass server to the client during authentication. Depending on the configuration in ClearPass the client is required to present a certificate. (methods could be EAP-TLS, TEAP, EAP-TTLS and even EAP-PEAP (without username/password but with certificates).
The ClearPass RADIUS server certificate needs to be trusted at the client. 

If the client is going to present a certificate, the certificate is validated by ClearPass using the certificate trust list + certificate validation (OCSP/CRL). If needed LDAP will be used for authorisation. 

It is recommended to generate an unique client certificate. And yes, the ClearPass RADIUS Root certificate needs to be trusted at the clients.  

------------------------------
Willem Bargeman
Systems Engineer Aruba

Original Message:
Sent: Mar 02, 2024 01:45 AM
From: ajorigenes17
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.

I will try this setup since this is what clients want to achieve. Please correct me if im on the same page,

I will generate a certificate in my ldap server abd load it to clearpass under cert store/trust list and that certificate will be used also into devices laptop by installing it manually?

It is not required for 802.1x to join the domain. Nowadays more and more devices are managed using platforms like Intune and not even part of the domain. There are multiple ways to reject BYOD devices. Most simple is, use certificate based authentication. Deploy certificates to the managed devices and use this for authentication.

Other option can be, use computer authentication and in ClearPass build a policy to just allow computer accounts to authenticate on the network. 

I would recommended, use certificates. Most secure and an easy way to achieve this.

Soo for 802.1x configuration is it required to join the client device to the domain or there is other way to configure 802.1x without joining clients devices to the domain controller? What we really want to achieve is users BYOD devices will be reject to connect to that ssid even they will use there  domain controller credentials when they try to authenticate using there BYOD devices.

Original Message:
Sent: Mar 02, 2024 10:21 AM
From: Aruba WB
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

This is not primarily related to the LDAP server certificate. There is communication between the client <> clearpass. And clearpass <> LDAP server.

The communication between ClearPass and the LDAP server is encrypted using LDAPS (or start TLS). This is not something configured at the client.

The ClearPass RADIUS server certificate is used from the ClearPass server to the client during authentication. Depending on the configuration in ClearPass the client is required to present a certificate. (methods could be EAP-TLS, TEAP, EAP-TTLS and even EAP-PEAP (without username/password but with certificates).
The ClearPass RADIUS server certificate needs to be trusted at the client. 

If the client is going to present a certificate, the certificate is validated by ClearPass using the certificate trust list + certificate validation (OCSP/CRL). If needed LDAP will be used for authorisation. 

It is recommended to generate an unique client certificate. And yes, the ClearPass RADIUS Root certificate needs to be trusted at the clients.  

------------------------------
Willem Bargeman
Systems Engineer Aruba

Original Message:
Sent: Mar 02, 2024 01:45 AM
From: ajorigenes17
Subject: 802.1X Authentication Using ldap server certificates with ClearPass.

Hello I just want to ask if I can configure 802.1x using a ldap server certificate ? we are using an open source Zentyal ldap server . Client's want to configure 802.1x in users laptop without joining it to the domain. I just want to ask if this is possible to achieve using the generated certificate from ldap server and install it to user's laptop and configure 802.1x ? so all BYOD laptops will not able to connect to the ssid if the certificate is not installed in their devices.

The only thing that I've been already deployed is users laptop is required to join to the domain controller and configure machine auth in clearpass policy profile. but I just want to know if its possible to use a certificate generate in ldap server and installed it to user's laptop and configure 802.1x with Clearpass enforcement policies.