Security

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

Can you please post the failed message from Access Tracker? Please post all the Tabs from that event.

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

The [EAP TLS] method enforces authorization, i.e. it checks whether the user name exists in the specified Auth-Src. Authentication is rejected with the error message "User not found" if the user does not exist.

If no computer account exists for the Macbooks in the Windows domain, you have to duplicate the [EAP TLS] method and deactivate the "Authorization required" field.

You can only use one TLS Auth method in the service, i.e. if you check Windows computers for domain membership, you have to create a new service for the Macbooks. 

Can you please post the failed message from Access Tracker? Please post all the Tabs from that event.

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

I might be closer, after trying this again.  Here's the error I get when we try to connect:

When I look in the Computed Attributes, it does look like it's sending the Clearpass server cert.   (BTW: the one I sent to the machine was the "RADIUS/EAP Server Certificate" that ClearPass is using.)

I noticed that the "Extended-key-usage" of that key says:  "TLS Web Server Authentication".   We had just renewed that cert back in the fall of 2024.  Here's some info from that certificate that is in the Certificate store...this is the details of the cert used for RADIUS/EAP Server Certificate:

Could it be that my problem is simply that when we generated the certificate, we only selected the usage of "web server certificate", and I need to select additional options that the certificate can be used for?  Maybe it's just failing because the client is trying to use a web server only cert for authentication?

What I don't understand is why this wouldn't affect my other windows EAP-TLS host connections, unless since those use windows server certs, it doesn't even try to match the clearpass cert, but instead uses an authentication source of AD to validate them.   If that's true, then my hypothesis may have some merit, right?

Good learning experience.   If someone has a good resource to the PROPER way to generate the RADIUS/EAP Server Certificate, I'd like to read that. I'll start searching for documentation now.

The [EAP TLS] method enforces authorization, i.e. it checks whether the user name exists in the specified Auth-Src. Authentication is rejected with the error message "User not found" if the user does not exist.

If no computer account exists for the Macbooks in the Windows domain, you have to duplicate the [EAP TLS] method and deactivate the "Authorization required" field.

You can only use one TLS Auth method in the service, i.e. if you check Windows computers for domain membership, you have to create a new service for the Macbooks. 

Can you please post the failed message from Access Tracker? Please post all the Tabs from that event.

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

Ok, I'm going to provide a more complete explanation of the whole setup before I am done, but, I did just get it working.  What I had to re-fix from all the stuff I tried is, on the Jamf side, I had to make the identity certificate the SCEP certificate, NOT the clearpass server certificate.   And I did end up removing the RADSEC cert from the jamf side too just because I figured it wasn't needed.  But I'll try to be more complete later so that others can use the info more effectively.

I might be closer, after trying this again.  Here's the error I get when we try to connect:

When I look in the Computed Attributes, it does look like it's sending the Clearpass server cert.   (BTW: the one I sent to the machine was the "RADIUS/EAP Server Certificate" that ClearPass is using.)

I noticed that the "Extended-key-usage" of that key says:  "TLS Web Server Authentication".   We had just renewed that cert back in the fall of 2024.  Here's some info from that certificate that is in the Certificate store...this is the details of the cert used for RADIUS/EAP Server Certificate:

Could it be that my problem is simply that when we generated the certificate, we only selected the usage of "web server certificate", and I need to select additional options that the certificate can be used for?  Maybe it's just failing because the client is trying to use a web server only cert for authentication?

What I don't understand is why this wouldn't affect my other windows EAP-TLS host connections, unless since those use windows server certs, it doesn't even try to match the clearpass cert, but instead uses an authentication source of AD to validate them.   If that's true, then my hypothesis may have some merit, right?

Good learning experience.   If someone has a good resource to the PROPER way to generate the RADIUS/EAP Server Certificate, I'd like to read that. I'll start searching for documentation now.

The [EAP TLS] method enforces authorization, i.e. it checks whether the user name exists in the specified Auth-Src. Authentication is rejected with the error message "User not found" if the user does not exist.

If no computer account exists for the Macbooks in the Windows domain, you have to duplicate the [EAP TLS] method and deactivate the "Authorization required" field.

You can only use one TLS Auth method in the service, i.e. if you check Windows computers for domain membership, you have to create a new service for the Macbooks. 

Can you please post the failed message from Access Tracker? Please post all the Tabs from that event.

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide. 

Ok, as promised, I'll illustrate out our end scenario so that if other people have this kind of issue there is maybe at least a little better documentation on an integration of jamf with clearpass.

On the Jamf side, you have to have all the good SCEP server stuff all working, or whatever method you use to get the certificate on the macbook.
Then, you create a new configuration profile for the network.

For EAP-TLS you want to choose Computer level.

Now here's one of the big areas where I was stuck.  I had simply cloned the EAP-TLS 802.1x service in clearpass that I was using for our windows PC's.  The problem is, in that one the AUTH METHOD we chose was the same with EAP-TLS, except when you open the settings, we had the "Authorization required" box checked because you could integrate with AD for authorization.   These macbooks are NOT AD joined, so we had to remove that checkbox.

Then in the authentication session's main page, you can have the EAP-TLS method chosen in the top, but we had also had multiple AD servers chosen as Authentication sources.  Those were causing failures, because when the macbook would try to connect, it would look in AD to authenticate it and not find it.   I didn't realize I could just leave the list empty, and people on this thread started saying you just need the server cert to authenticate it, so I removed them, and yes, it works.

So that was the mess.  It's a little easier to understand, now that I realize what is and isn't needed.  It's simpler than I had originally thought.

At present, we aren't using the jamf connector in clearpass, so we do trigger some of the service properties on specific things.  Like to match the service, the macbook's mac address has to be in a local list on clearpass.  We use that so that this service is bypassed by our windows machines.   Then in the authorization section, we have some specific values that the machine must have, like our type and brand of AV software, and it can't be infected, and a few other keyed items, that would make it hard to get authorization on our network by anything but a known macbook belonging to our organization, and that has some prerequisite software and tweaking done before it can get on wifi.

Feels great to have this working and I greatly appreciate all the help!

Ok, I'm going to provide a more complete explanation of the whole setup before I am done, but, I did just get it working.  What I had to re-fix from all the stuff I tried is, on the Jamf side, I had to make the identity certificate the SCEP certificate, NOT the clearpass server certificate.   And I did end up removing the RADSEC cert from the jamf side too just because I figured it wasn't needed.  But I'll try to be more complete later so that others can use the info more effectively.

I might be closer, after trying this again.  Here's the error I get when we try to connect:

When I look in the Computed Attributes, it does look like it's sending the Clearpass server cert.   (BTW: the one I sent to the machine was the "RADIUS/EAP Server Certificate" that ClearPass is using.)

I noticed that the "Extended-key-usage" of that key says:  "TLS Web Server Authentication".   We had just renewed that cert back in the fall of 2024.  Here's some info from that certificate that is in the Certificate store...this is the details of the cert used for RADIUS/EAP Server Certificate:

Could it be that my problem is simply that when we generated the certificate, we only selected the usage of "web server certificate", and I need to select additional options that the certificate can be used for?  Maybe it's just failing because the client is trying to use a web server only cert for authentication?

What I don't understand is why this wouldn't affect my other windows EAP-TLS host connections, unless since those use windows server certs, it doesn't even try to match the clearpass cert, but instead uses an authentication source of AD to validate them.   If that's true, then my hypothesis may have some merit, right?

Good learning experience.   If someone has a good resource to the PROPER way to generate the RADIUS/EAP Server Certificate, I'd like to read that. I'll start searching for documentation now.

The [EAP TLS] method enforces authorization, i.e. it checks whether the user name exists in the specified Auth-Src. Authentication is rejected with the error message "User not found" if the user does not exist.

If no computer account exists for the Macbooks in the Windows domain, you have to duplicate the [EAP TLS] method and deactivate the "Authorization required" field.

You can only use one TLS Auth method in the service, i.e. if you check Windows computers for domain membership, you have to create a new service for the Macbooks. 

Can you please post the failed message from Access Tracker? Please post all the Tabs from that event.

Ok, I have already always had our Root and intermediate certs in that trust list, so that should be good.  I think maybe I need to figure out what to put in the service, under "authentication sources" then.   I'm guessing that I need to remove the 3 Active Directory

However, once I remove the 3 Active Directory entries, what do I use as an authentication source at that point?   None in my drop down list currently look like they'd apply.   Is there one called "local certificate trust list" or something that I can add in there?

In Clearpass you should go to Administration > Certificates > Trust List  and place the ROOT certificate in the Trust List. 

We have been using 802.1x with Machine certificates issued by AD, with ClearPass and Windows machines for a couple years now.  I understand the process that the windows machine joins the domain, get's a certificate, and then our clearpass servers are domain joined and can authenticate the machine with Active Directory using some of our various AD servers.  All of that works well, and makes sense to me.

Now we're extending it to macbooks and adding Jamf, so that we can also set up certificates on the macbooks (they will not be domain joined) via SCEP/NDES integrated with our windows CA, with the goal of them also doing 802.1x with EAP-TLS.

So far, we have the SCEP process working fine, and the macbooks obtain their certificates from our CA via SCEP.

We also created a configuration profile in Jamf for our wifi network that has 1 SCEP payload, 1 Network payload, and not knowing which certs we needed, we our certificate payloads are currently our root, our NDES server, one called Sub Cert that I think is our root again (at the suggestion of Jamf), And then I added our ClearPass server certificate for RADIUS/EAP, and also just in case, the ClearPass RADSEC certificate.  I'm not sure if all that is needed or if some aren't.   In the network payload, I have our SCEP Proxy as the identity certificate.  For "username" field, I have $COMPUTERNAME so that when it hits clearpass I see the computer name.   Then on the trust tab, I have the "Trusted Server Certificates Name" set with our Clearpass certificate CN.   I'm not really sure if all of this is proper, but, we did go from getting timeouts in the activity monitor on clearpass, to rejected authentications.

Now here's where my knowledge is falling real short and I need the guidance the most:

On the Clearpass side, our normal windows machines basically authenticate with an authentication method of "EAP-TLS", and the authentication sources are 3 of or domain controllers, and clearpass is joined to them in AD.  That all makes sense.

But, when authenticating these Macbooks, I get failures because it can't authenticate via the domain controllers.  That makes sense, because as far as I know, although our certificates are issued to the macbooks by our windows CA, since the macbooks aren't domain joined, it's not like our AD servers will HAVE knowledge of our certificates that get presented by the macbooks.   So I'm trying to understand exactly what the Clearpass would look like, to do this authentication.   Do I need to perhaps import our NDES cert into clearpass?  I can see that being a possibility but then what would my "authentication source" be?  It would have to be local somehow then, right?   Or, am I supposed to be trying to get these non-domain macbooks' certificates somehow into AD so that when we bounce the auth off of our AD servers, it knows how to do that? 

We're currently on 6.9.13, and are in the middle of renewal of our support contract. Once that's done, we'll be upgrading to 6.11, and at that point we can probably install the Jamf Clearpass connector, but I don't know if that's a required feature, or just gives some nice abilities.

Can anyone paint me a picture of what I'm really looking to do, on the Clearpass side, to get these authentications working, given the above?  If I knew the concept well enough, I think I could move forward and maybe have some luck, but right now the clouds are just too thick to see what I'm looking to do.

Thanks for any guidance you can provide.