Security

 View Only
last person joined: 4 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Cert-based Wireless Auth using User AND Machine Certs?

This thread has been viewed 93 times

  • 1.  Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 03:06 AM
    We have Clearpass deployed using the InTune connector. (Not the newest version of the connector). Then we use ScepMan to deploy USER and MACHINE certs.

    I know some people say to either pick user or just machine if you have some shared devices, but we do some VLAN moving depending on who is logging into the device.

    So today we get a new laptop in. It is imaged on site and provisioned in InTune and gets all our Scep and Wifi policy. It successfully joins the wi-fi network on the lockscreen with the machine cert. Then I go to log in with my creds and it does allow me to login, but the autoconnection to the wifi with the user cert does not happen because the cert does not get onto the device in time.

    • Is there anyone else out there that uses both machine and user certs that has gotten around this?
    • Is there a way to hold onto the machine authentication just a little longer after I login to be able to reach out and grab that cert in enough time? Anything regarding Authentication period, Authentication retry delay period, Start period, Maximum EAPOL-start, Maximum authentication failures?

    I thought maybe if I increased the auth period to a minute or two, that could solve the issue?

    I have verified with Scepman support that my config is good on the cert profile side, but this is definetily something I want to tweak in InTune for the wifi profile side.


  • 2.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 26, 2023 07:46 AM
    Use TEAP.  Inner method EAP-TLS for each, machine certificate for the first chain, user certificate for the second.
    Original Message


  • 3.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 26, 2023 12:10 PM
    +1 on that. One benefit of TEAP is that the User Authentication can fail if the computer authentication succeeded, but you can still provide access to the network and that allows the client to retrieve the user certificate. Check here for a video on TEAP, this is with AD/GPO issued certificates, but works similar with Intune controlled certificates.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 4.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Jan 31, 2023 03:01 AM
    Do I have to modify my InTune connector or services in any way? Using EAP_TLS and based on the video it should be fairly easy to transition over?
    Original Message


  • 5.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Jan 31, 2023 10:55 AM
    Yes, yes and yes.

    For Intune you would need to configure that it enrolls both user and machine certificates; Service needs to be changed to allow TEAP (as in the video) as well some changed to the role-mapping/enforcement to handle computer+user authentication.

    Please note that for the client-side configuration of the SSID to use TEAP, you would need to configure one client manually, then extract the XML config for that, and you can use that in Intune. Let's assume you configured WLAN_WPA2, then use:
    netsh wlan show profiles
netsh wlan export profile WLAN_WPA2​

    You can modify some of the XML if you like, where the <name>WLAN_WPA2</name> on line 3 is a good one. If you name that 'Corporate WiFi (Intune)', its shown in Windows as that name instead of the actual SSID.

    Then in Intune use the 'WiFi Import (Windows 8.1 and later)' to import the config:
    <abbreviated>
    Hope that helps... Note that you can deploy EAP-TLS and TEAP on the same SSID, which means you can prepare and test before you move your clients over.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 6.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 06, 2023 09:36 PM
    Have been following this thread as we are in the same boat. We are working on rolling this out for wired and wireless connections. In testing I can get the machine on the wired, and provide a limited DUR role of just web, as we use SCEP for the certificate, but after they get the user certificate and restart to get the full DUR role, it does not update and the user is locked into the limited DUR - how do we correct that? In addition, could we do something similar for wireless, in that we could provide Guest access, with web only, and then when they get the user certificate, a restart would provide full authorized access? We are only running Clearpass, and do not have licensing for OnBoard. Thanks very much,
    Original Message


  • 7.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Feb 07, 2023 09:15 AM
    What is the authentication method used? EAP-TLS? TEAP?
    Are these Windows clients?
    After the restart, what certificate(s) does ClearPass display in Access Tracker? Does the user authentication happen?
    If it is EAP-TLS, have you configured computer+user authentication? If set to Computer only, Windows will not switch to user authentication.

    As there are many unknown variables, it may be best to work with your Aruba partner and/or Aruba Support. These issues are hard to find if you don't see what happens, and if there is no access to live Access Tracker information.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 07, 2023 10:29 AM
    Thanks very much for the reply. We are currently using TLS but are moving towards using TEAP. Yes, full Windows client deployment. As we are hybrid joined it looks to be using the internal certificate it receives after the restart, but can confirm. Yes, we do see user authentication happening in the Access Tracker and we currently have it set to computer+user authentication.

    Completely understand on there being many variables that affect what the process is - just wondering if we were missing a step where we could have it 'remove' the limited DUR role and then when the user authentication happens, make sure it receives the full DUR role.

    Thanks very much again for the reply.
    Original Message


  • 9.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    EMPLOYEE
    Posted Feb 08, 2023 04:07 AM
    Ok, still not sure what you mean with 'remove the limited DUR'; but if a client does not have the certificate to authenticate, it may fail authentication and on wired you would the allow access for a failed authentication such that the client can request the user certificate.

    If that 'need to authenticate to get a certificate that is needed to authenticate' 'deadlock' is the case, TEAP will help as well, because there you can have a successful TEAP-Method-1 with the computer certificate, then a failed TEAP-Method-2 and based on that return a role that can request the certificate. That also works for both Wired and Wireless, where with EAP-TLS on wireless if there is a failed authentication, there will be no connection at all, and you may need to work around that by an open/PSK SSID or plug in the client wired to get the user certificate.

    Hope this helps as this is something many customers run into with EAP-TLS.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 10.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 08, 2023 10:48 AM
    Thanks for the reply and additional details - much appreciated.

    In regards to the roles, we see this when we have a successful authentication for both machine and user certificate, as desired, but it combines the limited machine role (WebOnly) that allowed the SCEP certificate to install, with the internal access (Internal) and it does not update the DUR role on the switch;

    Thanks very much again for all the details and information.
    Original Message


  • 11.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted Feb 09, 2023 08:03 PM

    So, we worked with TAC and adjusted the Enforcement policy to reflect a success on machine authentication and failure on user cert to handle the limited access and then success on both machine and user to allow internal access, vs just the success only, so a little tweak there. In addition, I think the error in the testing was that a restart was not enough to reset the connection - it required a removal of the cable to fully reset it and have it load the internal profile only. I am thinking we will likely see the same on the wireless side, in that a disconnect and reconnect for the wi-fi would allow it to load the correct enforcement policy, i.e. internal access.

    Back to the testing bench...

    Thanks again,


    Original Message


  • 12.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted 28 days ago

    Any luck?


    Original Message


  • 13.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted 28 days ago

    I followed the instructions. But to no luck. Getting:

    eap-teap: Method 1 failed for transaction
    eap-teap: Method 1 failed for transaction
    eap-teap: Conflicting identities 'anonymous' and 'host/Sectigo RSA Domain Validation Secure Server CA' in the request
    TLS session reuse error


    Original Message


  • 14.  RE: Cert-based Wireless Auth using User AND Machine Certs?

    Posted 27 days ago

    Sorry to leave it on a cliffhanger there, but yes, we did manage to get it to work in our tes