Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cert-based Wireless Auth using User AND Machine Certs?

This thread has been viewed 132 times

  • 1.  Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 03:06 AM
    We have Clearpass deployed using the InTune connector. (Not the newest version of the connector). Then we use ScepMan to deploy USER and MACHINE certs.

    I know some people say to either pick user or just machine if you have some shared devices, but we do some VLAN moving depending on who is logging into the device.

    So today we get a new laptop in. It is imaged on site and provisioned in InTune and gets all our Scep and Wifi policy. It successfully joins the wi-fi network on the lockscreen with the machine cert. Then I go to log in with my creds and it does allow me to login, but the autoconnection to the wifi with the user cert does not happen because the cert does not get onto the device in time.

    • Is there anyone else out there that uses both machine and user certs that has gotten around this?
    • Is there a way to hold onto the machine authentication just a little longer after I login to be able to reach out and grab that cert in enough time? Anything regarding Authentication period, Authentication retry delay period, Start period, Maximum EAPOL-start, Maximum authentication failures?

    I thought maybe if I increased the auth period to a minute or two, that could solve the issue?

    I have verified with Scepman support that my config is good on the cert profile side, but this is definetily something I want to tweak in InTune for the wifi profile side.


  • 2.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 07:46 AM
    Use TEAP.  Inner method EAP-TLS for each, machine certificate for the first chain, user certificate for the second.
    Original Message


  • 3.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 26, 2023 12:10 PM
    +1 on that. One benefit of TEAP is that the User Authentication can fail if the computer authentication succeeded, but you can still provide access to the network and that allows the client to retrieve the user certificate. Check here for a video on TEAP, this is with AD/GPO issued certificates, but works similar with Intune controlled certificates.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 31, 2023 03:01 AM
    Do I have to modify my InTune connector or services in any way? Using EAP_TLS and based on the video it should be fairly easy to transition over?
    Original Message


  • 5.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 31, 2023 10:55 AM
    Yes, yes and yes.

    For Intune you would need to configure that it enrolls both user and machine certificates; Service needs to be changed to allow TEAP (as in the video) as well some changed to the role-mapping/enforcement to handle computer+user authentication.

    Please note that for the client-side configuration of the SSID to use TEAP, you would need to configure one client manually, then extract the XML config for that, and you can use that in Intune. Let's assume you configured WLAN_WPA2, then use:
    netsh wlan show profiles
netsh wlan export profile WLAN_WPA2​

    You can modify some of the XML if you like, where the <name>WLAN_WPA2</name> on line 3 is a good one. If you name that 'Corporate WiFi (Intune)', its shown in Windows as that name instead of the actual SSID.

    Then in Intune use the 'WiFi Import (Windows 8.1 and later)' to import the config:
    <abbreviated>
    Hope that helps... Note that you can deploy EAP-TLS and TEAP on the same SSID, which means you can prepare and test before you move your clients over.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 06, 2023 09:36 PM
    Have been following this thread as we are in the same boat. We are working on rolling this out for wired and wireless connections. In testing I can get the machine on the wired, and provide a limited DUR role of just web, as we use SCEP for the certificate, but after they get the user certificate and restart to get the full DUR role, it does not update and the user is locked into the limited DUR - how do we correct that? In addition, could we do something similar for wireless, in that we could provide Guest access, with web only, and then when they get the user certificate, a restart would provide full authorized access? We are only running Clearpass, and do not have licensing for OnBoard. Thanks very much,
    Original Message


  • 7.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Feb 07, 2023 09:15 AM
    What is the authentication method used? EAP-TLS? TEAP?
    Are these Windows clients?
    After the restart, what certificate(s) does ClearPass display in Access Tracker? Does the user authentication happen?
    If it is EAP-TLS, have you configured computer+user authentication? If set to Computer only, Windows will not switch to user authentication.

    As there are many unknown variables, it may be best to work with your Aruba partner and/or Aruba Support. These issues are hard to find if you don't see what happens, and if there is no access to live Access Tracker information.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 07, 2023 10:29 AM
    Thanks very much for the reply. We are currently using TLS but are moving towards using TEAP. Yes, full Windows client deployment. As we are hybrid joined it looks to be using the internal certificate it receives after the restart, but can confirm. Yes, we do see user authentication happening in the Access Tracker and we currently have it set to computer+user authentication. 

    Completely understand on there being many variables that affect what the process is - just wondering if we were missing a step where we could have it 'remove' the limited DUR role and then when the user authentication happens, make sure it receives the full DUR role. 

    Thanks very much again for the reply.
    Original Message


  • 9.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Feb 08, 2023 04:07 AM
    Ok, still not sure what you mean with 'remove the limited DUR'; but if a client does not have the certificate to authenticate, it may fail authentication and on wired you would the allow access for a failed authentication such that the client can request the user certificate.

    If that 'need to authenticate to get a certificate that is needed to authenticate' 'deadlock' is the case, TEAP will help as well, because there you can have a successful TEAP-Method-1 with the computer certificate, then a failed TEAP-Method-2 and based on that return a role that can request the certificate. That also works for both Wired and Wireless, where with EAP-TLS on wireless if there is a failed authentication, there will be no connection at all, and you may need to work around that by an open/PSK SSID or plug in the client wired to get the user certificate.

    Hope this helps as this is something many customers run into with EAP-TLS.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 08, 2023 10:48 AM
    Thanks for the reply and additional details - much appreciated.

    In regards to the roles, we see this when we have a successful authentication for both machine and user certificate, as desired, but it combines the limited machine role (WebOnly) that allowed the SCEP certificate to install, with the internal access (Internal) and it does not update the DUR role on the switch;

    Thanks very much again for all the details and information.
    Original Message


  • 11.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 09, 2023 08:03 PM

    So, we worked with TAC and adjusted the Enforcement policy to reflect a success on machine authentication and failure on user cert to handle the limited access and then success on both machine and user to allow internal access, vs just the success only, so a little tweak there. In addition, I think the error in the testing was that a restart was not enough to reset the connection - it required a removal of the cable to fully reset it and have it load the internal profile only. I am thinking we will likely see the same on the wireless side, in that a disconnect and reconnect for the wi-fi would allow it to load the correct enforcement policy, i.e. internal access.

    Back to the testing bench...

    Thanks again,


    Original Message


  • 12.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 21, 2023 12:01 AM

    Any luck?


    Original Message


  • 13.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 21, 2023 01:07 PM

    I followed the instructions. But to no luck. Getting:

    eap-teap: Method 1 failed for transaction
    eap-teap: Method 1 failed for transaction
    eap-teap: Conflicting identities 'anonymous' and 'host/Sectigo RSA Domain Validation Secure Server CA' in the request
    TLS session reuse error


    Original Message


  • 14.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 21, 2023 04:21 PM

    Sorry to leave it on a cliffhanger there, but yes, we did manage to get it to work in our testing. Having said that, is it usable for us - totally, but slightly modified. While we can certainly get the machine to authenticate, which is great, the process, after the user certificate is deployed, i.e. reset the port/pull the cable and put back in/disconnect wireless and the connect, seemed to be a large amount for the end user. We are still going to go down the road with utilizing TEAP, but we will likely look for the user certificate to be an addition. We will trust the machine, allow the user to logon, and after time and throughout the normal movement, we will look to see them fully authenticate with both machine and user certificate, which is really the end goal.

    On your above note, make sure you have the machine TEAP settings correct - the following is another thread we used for the setup, in particular resolving the anonymous user issue and ensuring we were passing back the username as desired -

    https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining

    Thanks very much,


    Original Message


  • 15.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 21, 2023 05:13 PM

    I appreciate the update. I am looking to do the same as you, trust the machine cert. Then once user cert is downloaded from SCEPman, act off that. Have you found any way way to "reauth" without having to reboot or reconnect?


    Original Message


  • 16.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 21, 2023 05:20 PM

    No, unfortunately we were unable to overcome that as a component, thus settled in on more the machine first and then the user certificate after a period of time that we will get full TEAP authentication.

    Thanks,


    Original Message


  • 17.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Mar 03, 2023 04:27 PM

    Still have not been able to overcome the anonymous issue. No matter how I set things up. Doesn't seem like it should be that hard haha.


    Original Message


  • 18.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Mar 03, 2023 04:32 PM

    Would you by any chance be willing to share what your enforcement profile looks like? Either here or privately?


    Original Message


  • 19.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Mar 06, 2023 03:24 PM

    We are using it as in the article - the following is what ours looks like;

    We have this set in the Enforcement Profile as one of Attributes.

    Are you just seeing 'anonymous' under the 'Username' filed in the Access Tracker then?


    Original Message


  • 20.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jun 22, 2023 05:14 AM

    @zshore have you been able to resolve this? I'm facing the same issue, with a twist: for wired connections (TEAP, computer & user auth) it works perfectly, for wireless it fails with this message:

    eap-teap: Method 1 failed for transaction
    eap-teap: Method 1 failed for transaction
    eap-teap: Conflicting identities 'anonymous' and 'host/SVCKVVS-2305.domain.local' in the request
    TLS session reuse error

    I'm using the same certificates (from our enterprise CA) for wired and wireless

    Thx,

    Kris


    Original Message


  • 21.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jun 26, 2023 11:15 AM

    The error seems related to the Compare Certificates option in the EAP-TLS method (used the TEAP method). You can try to set to to 'Compare CN or SAN' or temporarily do not compare to verify that the issue lies in the cert comparison:



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 22.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jun 30, 2023 03:38 AM

    I've noticed that the problem doesn't occur if the service only has TEAP as authentication method, not TEAP and TLS together (which it had during the migration from TLS to TEAP via GPO). Changing the order of the authentication methods on the one service didn't matter.

    Kris


    Original Message


  • 23.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jul 03, 2023 07:52 AM

    Do you have a TAC case open already on this one?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message