@cppmadmin wrote:
Hello,
I have a query related to EAP-TLS ( machine certificate based auth)
On clear pass , what do we need to define as auth source ?
is it the Root CA server , subordinate CA server or AD server ?
Does Clearpass query everytime to CA server to validate the cert of client machine ?
or do we need to copy the Root CA cert on CPPM as a Trust List ?
I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )
What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate
At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass. You would duplicate the EAP-TLS authentication method and uncheck everything to allow this. To provide additional security, you could add your AD as an LDAP authentication source in ClearPass and enable Authorization in your EAP-TLS authentication method to check that the username on the certificate is still valid in AD. That would stop devices/users whose accounts have been disabled in AD from connecting. As was mentioned before, if your CA is configured with OCSP, you can also enable that in the EAP-TLS authentication method, so that certificates revoked in your CA would also not be able to authenticate in ClearPass.
Again, you have quite a few options with EAP-TLS, but at minimum ClearPass only has to have the CA certificate that issued your client certificates in its trusted list to work.