Security

 View Only
last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Onboard CA as authentication source

This thread has been viewed 18 times
  • 1.  ClearPass Onboard CA as authentication source

    Posted Aug 07, 2022 06:48 PM
    Hello,

    I have a client who is using ClearPass onboard+ Azure SSO to distribute client certificates (using Clearpass as CA). The question I have is can I use ClearPass Onboard as authentication source only for EAP-TLS in the 802.1x service or do I have to use Azure as authentication source?


  • 2.  RE: ClearPass Onboard CA as authentication source

    EMPLOYEE
    Posted Aug 08, 2022 10:53 AM
    You can create an EAP-TLS Authentication Method which has the option 'Authorization' disabled. In that case you don't need an Authentication Source (or can use the local user database or endpoint database in as authentication source).

    Make sure that you do proper authorization during your role-mapping and/or enforcement.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass Onboard CA as authentication source

    Posted Aug 12, 2022 01:36 AM
    Thanks Herman. Worked like a charm. There is a shift in customer requirement and they are not using Okta instead of Azure. The onbaording part is still working fine with Okta as well. Is there a way I can set certain attributes for user during onbaord based on what we receive from Okta during SSO.

    E.g. Okta returns attribute X value = assign attribute X to user device during onboarding and for any subsequent EAP-TLS request, assign user role X based on attribute X associated to the onboarded device attribute

    We are aware Okta and Onboard repository will be disjoint after initial onbaording but customer is happy to do it this way during interim period.


  • 4.  RE: ClearPass Onboard CA as authentication source

    Posted Aug 17, 2022 01:30 AM
    @Herman Robers: Any thoughts mate? ​​


  • 5.  RE: ClearPass Onboard CA as authentication source

    EMPLOYEE
    Posted Aug 17, 2022 09:50 AM
    Do you see the attributes that you want to set in Access Tracker during the SSO authentication? If so, you should be able to use the Entity Update enforcement to put those attributes into the endpoint (with value %{whateverisshowninaccesstracker}). If you don't see them in Access Tracker, try to get them there.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------