Security

 View Only
  • 1.  Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 12:07 AM
    Edited by cdelarosa Jan 29, 2024 12:10 AM

    Hello  guys I ran into the following issue recently 

    I have a CA in Country A

    I have a different CA in country B which is in another domain

    The client wants that went their managers to go from country A to country B so they can connect with the same SSID 

    If they had the same CA I do think that would be an issue but they have different CAs  with different domains 

    Each country has its clearpass, and I just can sign the Clearpass with one of the CAs I cannot use them with 2 CAs so I'm not sure what I can do here or how can i manage this situation

    Has anyone run into this situation? if you have, how did you manage it?

    We are using EAP TLS

    Thanks



  • 2.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 02:24 AM

    Hi

    If I understand right the two servers are not part of a cluster, so they are stand alone servers?

    If that's the case you must install the CA certificates of domain A on ClearPass server B and the CA certificate B on server A.

    Are the domains reachable between the countries? In thatcase you should configure lookup of users in domain B from server A and domain A from server B. Also make sure the CRL or OCSP is reachable between the two countries.

    It shouldn't be a problem to solve the authentication of users from the other domain as long as the communication works. If you don't have connection between the domains/countries you can still trust the root from the other side, but not perform AD lookup and revocation check. In that case you may prefer to assign a limited role for devices from the other country.

    Only limitation is if both root CA certificates have the exact same common name. In that case ClearPass can't authenticate users from both domains.

    I have rised a feature request to change the behavior of ClearPass to work in situations where there are multiple roots with the same common name, as the case is with intermediate certificates. https://innovate.arubanetworks.com/ideas/SEC-I-2038



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 08:51 AM
    Edited by cdelarosa Jan 29, 2024 09:32 AM

    Hello Jonas hope you are doing great

    Right now they have like I said 2 different domains and each domain has different CAs and each country has a Clearpass cluster

    Each Clearpass from  each country can reach both domains that are not a problem

    Each country has its domain and its users,  country A is on  a.domain .local, and country b is on b.domain.local.  Clearpass of country A has requested  the CA to the CA root certificate for country A for Clearpass A so users from CA a in domain a.domain.local can  authenticate on Clearpass a with no issues and it is working fine in that part, the same goes for country B

    Now the problem comes when a manager in country B wants to travel to country A, he has a different CA and he works with different domains.  How do I install it request a certificate of country B for clearpass and install it? if i do and install it on the certificate store, that deletes the certificate A that is stored on the certificate store and my users that are local in the country will stop working with the EAP tls.   That is the problem I'm trying to overcome

    Unless I didn't understand what you mean? if I didn't please correct me 

    Managers from country A should travel to country B and vice versa.  The SSID should be the same in each country that the  request let's say the SSID is ARUBA in each country with EAP TLS but the difference is that it's on a different domain with different CA, but the domains  are reachable from both Clearpases in each country

    The part I lost you is where you said I can install the certificate in each country but if I do I'll lose the other certificate that I need, can you explain to me that part? how it will work if I lose that certificate? at least for the local users

    Thanks




  • 4.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 09:18 AM

    Hi

    You should not touch the certificates on the clients.

    In ClearPass A install the root and any intermediate certificates from domain B under Administration\Certificate\Trust list and enable usage EAP and AD/LDAP Server.

    On ClearPass B install the same from domain A.

    If you need to apply roles based on the different user groups from B in when a person visiting country A you also need to create a matching LDAP connection from ClearPass A to domain B to be able to read the AD groups. In that case you also need to update the role mapping and enforcement policies accordingly. The same must also be done on on the other side.

    If all users visiting A from B should be in the same role, you will just need a single line in the role mapping policy to assign that role based on the issuing CA in domain B.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 09:42 AM

    Hello

    I can do that with no issues but wouldn't I need the certificate on the certificate store in the radius part of the select usage of the domain B also?

    That will not bring me issues of did not complete eap transaction, because it is from another domain.

    If not, I would like to know why I installed that certificate in the first place then, i thought i needed it so it worked properly, the certificate in the trust list and the certificate on the select usage on the certificate store,  but it seems for at least the users from the other countries don't need it when they are on another domain.

    I'm just trying to understand what I'm doing, sorry about so many questions

    I




  • 6.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 10:26 AM

    The clients must trust the other domain PKI as well, and in the 802.1x GPO you should also mark the root of the other domain's PKI as trusted for EAP.

    In my last answer I referred to the changes needed on the ClearPass server side.

    Certificates are often a complex topic where you need to trust the issuer of the certificates and also configure the 802.1x policies on the clients.

    Your case is a bit of a special case with a lot of additional parameters to consider. I would recommend to contact an Aruba partner or Aruba SE to get assistance to look into the specific questions you have.

    This is (hopefully) list of all that must be configured on both sides:

    • Each ClearPass server must trust the PKI in the other domain
    • Possibly LDAP connection to the other AD, if group membership should be utilized
    • ClearPass must have configuration in the EAP-TLS service to handle the clients from the other domain
    • Clients must trust the PKI in the other domain
    • Clients should only have certificate for client authentication from the own domain
    • Clients should have a 802.1x configured by GPO
    • In the GPO the root certificates from both PKI's should be selected as trusted for 802.1x (in the picture below both root certificates should be selected)
    • In the GPO the client may need to configure how to select the client authentication certificate under the Advanced settings in this dialogue where the client should only select certificates based on the root in the own domain.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Clearpasses in different countries with different CAs

    Posted Jan 29, 2024 10:47 AM

    Okay I got it

    "The clients must trust the other domain PKI"

    This is the part I was missing

    That is something the client must work on in their pkis.  Right now I believe that's not happening.  Both PKIs are independent and are not being trusted.  I will have to ask.

    Thank you very much for explaining this to me 

    Kudos!




  • 8.  RE: Clearpasses in different countries with different CAs

    Posted Jun 24, 2024 11:10 PM

    hello Jonas 

    I read that in clearpass you can install multiple radius/EAP certificates and associate them to specific  service.  This feature seems to be useful if CPPM is authenticating users from multiple organizations ( i see multiple organizations as well yes its the same company but the name is a bit different and different CAs)  and well you can match the correct certificate with the service of each domain 

    I was thinking this could work for me but then, they want to use the SAME SSID for the person that travel  if we could have a second SSID for all this users that travel i guess this could work?

    For what you were telling me up there is for using it on a single SSID? using EAP TLS 

    Thanks




  • 9.  RE: Clearpasses in different countries with different CAs

    Posted Jun 25, 2024 07:57 AM
    Hi

    Yes, you can have multiple Radius certificates installed as Service Certificates in ClearPass. In that case you have to select the certificate to utilize for each service that should have another certificate than the server Radius certificate.

    But I think the idea to have the same SSID for all users is a good idea. This will give the least amount of configuration of the clients and in ClearPass, but maybe with restrictions on the access when traveling if needed. If clients traveling should get another role or VLAN this can be implemented in the enforcement policy by returning different set of parameters back during the authentication process.

    If you would like to have separate SSID for traveling computers, it will require more work. So far, there are no problems with this, but you also need to configure the clients to trust the correct certificate. I'm not quite sure exactly how you intend to do with the separate SSID for persons traveling, because if I understand correctly that SSID would be the same on all sites. In that case also clients not traveling will see this SSID in the home site, and possibly try to connect to it. Clients jumping back and forth between SSID's is never good.

    I think that Service Cerificates in your case would just make the configuration over complicated and hard to troubleshoot. Because you need to configure the clients from different parts of the organization differently, and also configure ClearPass to reply with different certificate based on where in the organization the client is located.

    One thing to keep in mind is that if you have installed a Service Certificate in ClearPass, but are not having it selected in any service, it's still required to be valid. If the certificate expires, and the Radius service restarts the service will not start again.

    Best Regards

    Jonas Hammarbäck

     



    left50.png

    top50.png

    Jonas Hammarbäck
    Network Architect - Solutions
    Phone:  +(46) 702178187
    Email:   jonas.hammarback@aranya.se
    Web:     www.aranya.se
    Aranya AB, Hemvärnsgatan 11, 171 54, Solna







  • 10.  RE: Clearpasses in different countries with different CAs

    Posted Jun 26, 2024 06:36 AM

    So it is possible to use one SSID and still use 2 services - one service for the home users and one for the travelers.
    You have to duplicate the service, name it accordingly and add an additional service rule. In the service for the home user, you ask whether the username ends with the home domain. And in the service for the travelers whether the username ends on the traveler domain. 
    Then install the Radius server certificates as service certificates and select the corresponding certificate in each service.

    And then ClearPass sends the user from domain A the radius/EAP server certificates from domain A, the same happens accordingly for domain B. Travelers and home users always connect in location A and location B with the same SSID.



    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACX - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------