Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass certificate-based authentications

This thread has been viewed 27 times
  • 1.  ClearPass certificate-based authentications

    Posted Jul 31, 2024 09:31 AM

    Hi All,

    Is certificate-based authentication in ClearPass possible without against any LDAP-compliant directory,  i.e. client certificate is validated with the Trusted CA cert chain installed in ClearPass.

    Thanks



  • 2.  RE: ClearPass certificate-based authentications

    EMPLOYEE
    Posted Jul 31, 2024 01:01 PM

    Look at the EAP-TLS auth method, one of the checkboxes is "Authorization Required".  Copy the auth method, uncheck that box, no lookup of the certificate subject is then required for the authentication to succeed.  Later authorization checks can further determine validity of the auth request and enforcement.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: ClearPass certificate-based authentications

    Posted Aug 01, 2024 03:58 AM

    Thanks for reply.

    For authorization Microsoft Entra ID will be used, but that can't be used for authentication.

    From EAP-TLS method if "Authorization Required" is unchecked and we want authentication only via certificates without local Active Directory, is it possible? 

    ClearPass version is the latest: 6.12.2.




  • 4.  RE: ClearPass certificate-based authentications

    Posted Aug 01, 2024 07:54 AM

    Yes. What 'Authorization' in the EAP-TLS method does, is verify if the user that authenticates exist in the Authentication Source.

    If you disable Authorization, any valid certificate (against the trust list) is accepted. In your role mapping and enforcement, you can further limit down like with a lookup to Intune or Entra ID, or limit to specific certificate authorities only.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass certificate-based authentications

    Posted Aug 02, 2024 09:07 AM

    So for Authentication methods put modified EAP-TLS with unchecked "Authorization Required" option.

    What do put for Authentication Sources ?




  • 6.  RE: ClearPass certificate-based authentications

    EMPLOYEE
    Posted Aug 02, 2024 09:45 AM

    Whatever you want.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: ClearPass certificate-based authentications

    Posted Aug 02, 2024 10:36 AM

    If you have disabled Authorization (and no other authentication methods that require authentication), you can even leave the authentication sources empty (in recent ClearPass versions).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------