Security

 View Only
Back to discussions
Expand all | Collapse all

Clearpass EAP-TLS authentication non-domain computers wireless

This thread has been viewed 18 times

  • 1.  Clearpass EAP-TLS authentication non-domain computers wireless

    Posted Dec 13, 2023 08:16 AM
    Hello,
     
    I am trying to create a setup where a non-domain computer can authenticate to a wifi SSID via certificate.
    The computer only has a computer certificate, no user certificate.
     
    The setup involves the following
    - Internal CA server where the computer certificate is already (manually) requested and installed on the computer.
    - Wifi SSID with WPA2 enterprise authentication and authentication server = clearpass
    - Clearpass service with EAP TLS authentication where "Authorization Required" is unchecked (see screenshot "Clearpass-authentication").
     
    When connecting, the computer gets the error message "can't connect to this network".
    In the clearpass access tracker the request arrives but gives a timeout (see screenshot "Clearpass-timeout").
    Clearpass also gives the alert "Client did not complete EAP transaction" (see screenshot "Clearpass alert")
     
    In the windows logs comes the error message "EAP Root cause String: Network authentication failed The user certificate required for the network can't be found on this computer."
    (see screenshot "Computer-event-error")
     
    However, the certificate is present on the computer and I see it in the request on clearpass.
    Can anyone help what is causing this or how to configure the setup to authenticate a non domain computer with a certificate.
    Thanks in advance.


  • 2.  RE: Clearpass EAP-TLS authentication non-domain computers wireless

    Posted Dec 13, 2023 09:07 AM

    Hi Joris

    From the information you have provided it looks like the client doesn't have the correct 802.1x configuration.

    Have you configured an 802.1x profile and specified the authentication method to EAP-TLS and in this profile also marked your internal root CA as trusted for EAP?

    In this 802.1x profile you also need to specify that the computer should only do computer authentication, not both. I think in your case the user is authenticated on Windows and with the default settings Windows will provide the user for authentication and as the user doesn't have a certificate it's not possible to complete the authentication.

    Does the computer authenticate if the user log out from Windows?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message


  • 3.  RE: Clearpass EAP-TLS authentication non-domain computers wireless

    Posted Dec 14, 2023 07:49 AM
    Edited by bosborne Dec 14, 2023 07:50 AM

    First thing, to use certificate authentication you need EAP-TLS, not just EAP for Authentication Method.

    Also uf just authenticatng using the certificate, no authentication source is needed., for example,



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------

    Original Message


Related Content