Security

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

hi Herman,
thanks for getting back.
i agree i think you should be able to do EAP-TLS with NON-AD clients.
Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
So that the authentication can be done on trust alone.
cheers
pete

------------------------------
Pete Elms
------------------------------

Original Message:
Sent: Jul 06, 2021 03:45 AM
From: Herman Robers
Subject: EAP-TLS with NPS

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

On the enforcement service, make sure you update the EAP-TLS Authentication source to check the ClearPass OCSP. 

If this will be a mix of AD and non-AD clients you can use the different Authorization sources as a differentiator in the enforcement policies. 
Authentication will be based on ClearPass Onboard Cert, and if the clients are not AD based NPS would not have anything to do with the authorization since the CN would not equal the user UPN's on the cert (Cert Subject shouldn't match AD usernames, unless using AD users).
Original Message:
Sent: Jul 06, 2021 04:17 AM
From: Pete Elms
Subject: EAP-TLS with NPS

hi Herman,
thanks for getting back.
i agree i think you should be able to do EAP-TLS with NON-AD clients.
Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
So that the authentication can be done on trust alone.
cheers
pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 03:45 AM
From: Herman Robers
Subject: EAP-TLS with NPS

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

thanks for getting back,
As you say the users are not AD users.
I am just autnenticating EAP-TLS User cert based clients based on trust of CA's .
However in the event viewer i am seeing "user not found" which confuses me.
So i was wondering how do i stop the NPS service from looking for a user account.
regards
Pete

------------------------------
Pete Elms
------------------------------

Original Message:
Sent: Jul 06, 2021 08:54 AM
From: Michael Holden
Subject: EAP-TLS with NPS

On the enforcement service, make sure you update the EAP-TLS Authentication source to check the ClearPass OCSP. 

If this will be a mix of AD and non-AD clients you can use the different Authorization sources as a differentiator in the enforcement policies. 
Authentication will be based on ClearPass Onboard Cert, and if the clients are not AD based NPS would not have anything to do with the authorization since the CN would not equal the user UPN's on the cert (Cert Subject shouldn't match AD usernames, unless using AD users).
Original Message:
Sent: Jul 06, 2021 04:17 AM
From: Pete Elms
Subject: EAP-TLS with NPS

hi Herman,
thanks for getting back.
i agree i think you should be able to do EAP-TLS with NON-AD clients.
Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
So that the authentication can be done on trust alone.
cheers
pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 03:45 AM
From: Herman Robers
Subject: EAP-TLS with NPS

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

You've probably included the NPS server as an authentication or authorization source.
If no AD /NPS credentials are involve, just use the Onboard users/devices as the auth source.
Original Message:
Sent: Jul 06, 2021 09:18 AM
From: Pete Elms
Subject: EAP-TLS with NPS

thanks for getting back,
As you say the users are not AD users.
I am just autnenticating EAP-TLS User cert based clients based on trust of CA's .
However in the event viewer i am seeing "user not found" which confuses me.
So i was wondering how do i stop the NPS service from looking for a user account.
regards
Pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 08:54 AM
From: Michael Holden
Subject: EAP-TLS with NPS

On the enforcement service, make sure you update the EAP-TLS Authentication source to check the ClearPass OCSP. 

If this will be a mix of AD and non-AD clients you can use the different Authorization sources as a differentiator in the enforcement policies. 
Authentication will be based on ClearPass Onboard Cert, and if the clients are not AD based NPS would not have anything to do with the authorization since the CN would not equal the user UPN's on the cert (Cert Subject shouldn't match AD usernames, unless using AD users).
Original Message:
Sent: Jul 06, 2021 04:17 AM
From: Pete Elms
Subject: EAP-TLS with NPS

hi Herman,
thanks for getting back.
i agree i think you should be able to do EAP-TLS with NON-AD clients.
Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
So that the authentication can be done on trust alone.
cheers
pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 03:45 AM
From: Herman Robers
Subject: EAP-TLS with NPS

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------

i am not using Clearpass as a RADIUS server i'm using NPS as my RADIUS service.
I'm unclear on how you disable authorization on the NPS policy service.

------------------------------
Pete Elms
------------------------------

Original Message:
Sent: Jul 06, 2021 09:30 AM
From: Michael Holden
Subject: EAP-TLS with NPS

You've probably included the NPS server as an authentication or authorization source.
If no AD /NPS credentials are involve, just use the Onboard users/devices as the auth source.
Original Message:
Sent: Jul 06, 2021 09:18 AM
From: Pete Elms
Subject: EAP-TLS with NPS

thanks for getting back,
As you say the users are not AD users.
I am just autnenticating EAP-TLS User cert based clients based on trust of CA's .
However in the event viewer i am seeing "user not found" which confuses me.
So i was wondering how do i stop the NPS service from looking for a user account.
regards
Pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 08:54 AM
From: Michael Holden
Subject: EAP-TLS with NPS

On the enforcement service, make sure you update the EAP-TLS Authentication source to check the ClearPass OCSP. 

If this will be a mix of AD and non-AD clients you can use the different Authorization sources as a differentiator in the enforcement policies. 
Authentication will be based on ClearPass Onboard Cert, and if the clients are not AD based NPS would not have anything to do with the authorization since the CN would not equal the user UPN's on the cert (Cert Subject shouldn't match AD usernames, unless using AD users).
Original Message:
Sent: Jul 06, 2021 04:17 AM
From: Pete Elms
Subject: EAP-TLS with NPS

hi Herman,
thanks for getting back.
i agree i think you should be able to do EAP-TLS with NON-AD clients.
Also i am (for a test) using Clearpass on-board certificate authority to provide user certs for client testing.
All the trusts are in place but NPS or the client appear to be stoping half-way through the process.
I was wondering if (like you can in Clearpass) turn off authorization in NPS for the EAP-TLS service ?
So that the authentication can be done on trust alone.
cheers
pete

------------------------------
Pete Elms

Original Message:
Sent: Jul 06, 2021 03:45 AM
From: Herman Robers
Subject: EAP-TLS with NPS

I don't agree with that statement. EAP-TLS (or EAP-TEAP) should be used to authenticate all users (where feasible).

Personally, I don't have this experience with NPS, but you can request a (user) certificate manually from your ADCS (or other CA) and install that on non-domain joined clients. In the real world, for somewhat larger than really small, you want to automate that process, in which case a MDM/EMM (Mobile Device Management) solution can help in getting the certs deployed automatically to devices that you can bring under its control. For non-managed devices, you could have a look at ClearPass Onboard to get the certificate requested and installed in a simple-to-follow procedure for the user.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 06, 2021 01:13 AM
From: harendra nishshanka
Subject: EAP-TLS with NPS

To have EAP-TLS authentication client should have certificate installed on his computer and it should be domain machine.

As per my understanding eap-tls is not a recommended way to authenticate non domain users.

Sent from Yahoo Mail on Android

Original Message:
Sent: 7/5/2021 12:09:00 PM
From: pete2020
Subject: EAP-TLS with NPS

HI Airheads,
we have a customer with Aruba AP's and controllers (V8).
They have NPS for a RADIUS server and they want to do EAP-TLS to NPS with NON-AD clients.
I was wondering is there a way of authenticating clients with EAP-TLS that are not AD members?
I know i have to consider revocation but just want to get EAP-TLS going to begin with.
regards
Pete

------------------------------
Pete Elms
------------------------------