Security

 View Only
last person joined: 10 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cert-based Wireless Auth using User AND Machine Certs?

This thread has been viewed 94 times

  • 1.  Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 03:06 AM
    We have Clearpass deployed using the InTune connector. (Not the newest version of the connector). Then we use ScepMan to deploy USER and MACHINE certs.

    I know some people say to either pick user or just machine if you have some shared devices, but we do some VLAN moving depending on who is logging into the device.

    So today we get a new laptop in. It is imaged on site and provisioned in InTune and gets all our Scep and Wifi policy. It successfully joins the wi-fi network on the lockscreen with the machine cert. Then I go to log in with my creds and it does allow me to login, but the autoconnection to the wifi with the user cert does not happen because the cert does not get onto the device in time.

    • Is there anyone else out there that uses both machine and user certs that has gotten around this?
    • Is there a way to hold onto the machine authentication just a little longer after I login to be able to reach out and grab that cert in enough time? Anything regarding Authentication period, Authentication retry delay period, Start period, Maximum EAPOL-start, Maximum authentication failures?

    I thought maybe if I increased the auth period to a minute or two, that could solve the issue?

    I have verified with Scepman support that my config is good on the cert profile side, but this is definetily something I want to tweak in InTune for the wifi profile side.


  • 2.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 07:46 AM
    Use TEAP.  Inner method EAP-TLS for each, machine certificate for the first chain, user certificate for the second.
    Original Message


  • 3.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 26, 2023 12:10 PM
    +1 on that. One benefit of TEAP is that the User Authentication can fail if the computer authentication succeeded, but you can still provide access to the network and that allows the client to retrieve the user certificate. Check here for a video on TEAP, this is with AD/GPO issued certificates, but works similar with Intune controlled certificates.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 31, 2023 03:01 AM
    Do I have to modify my InTune connector or services in any way? Using EAP_TLS and based on the video it should be fairly easy to transition over?
    Original Message


  • 5.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 31, 2023 10:55 AM
    Yes, yes and yes.

    For Intune you would need to configure that it enrolls both user and machine certificates; Service needs to be changed to allow TEAP (as in the video) as well some changed to the role-mapping/enforcement to handle computer+user authentication.

    Please note that for the client-side configuration of the SSID to use TEAP, you would need to configure one client manually, then extract the XML config for that, and you can use that in Intune. Let's assume you configured WLAN_WPA2, then use:
    netsh wlan show profiles
netsh wlan export profile WLAN_WPA2​

    You can modify some of the XML if you like, where the <name>WLAN_WPA2</name> on line 3 is a good one. If you name that 'Corporate WiFi (Intune)', its shown in Windows as that name instead of the actual SSID.

    Then in Intune use the 'WiFi Import (Windows 8.1 and later)' to import the config:
    <abbreviated>
    Hope that helps... Note that you can deploy EAP-TLS and TEAP on the same SSID, which means you can prepare and test before you move your clients over.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 06, 2023 09:36 PM
    Have been following this thread as we are in the same boat. We are working on rolling this out for wired and wireless connections. In testing I can get the machine on the wired, and provide a limited DUR role of just web, as we use SCEP for the certificate, but after they get the user certificate and restart to get the full DUR role, it does not update and the user is locked into the limited DUR - how do we correct that? In addition, could we do something similar for wireless, in that we could provide Guest access, with web only, and then when they get the user certificate, a restart would provide full authorized access? We are only running Clearpass, and do not have licensing for OnBoard. Thanks very much,
    Original Message


  • 7.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Feb 07, 2023 09:15 AM
    What is the authentication method used? EAP-TLS? TEAP?
    Are these Windows clients?
    After the restart, what certificate(s) does ClearPass display in Access Tracker? Does the user authentication happen?
    If it is EAP-TLS, have you configured computer+user authentication? If set to Computer only, Windows will not switch to user authentication.

    As there are many unknown variables, it may be best to work with your Aruba partner and/or Aruba Support. These issues are hard to find if you don't see what happens, and if there is no access to live Access Tracker information.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 07, 2023 10:29 AM