Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS

This thread has been viewed 96 times
  • 1.  EAP-TLS

    Posted Jun 05, 2018 04:43 AM

    Do I need to join and bind CPPM to AD in order to perform EAP-TLS authentication for a client?



  • 2.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 05, 2018 04:45 AM
    No.


  • 3.  RE: EAP-TLS

    Posted Jun 20, 2018 07:14 AM

    Hi,

       I've got a user testing this at the moment and its failing.

    They are getting -

    Alerts for this Request 

    RADIUS[Endpoints Repository] - localhost: User not found.
    EAP-TLS: Authentication failure, unknown user

    Not sure I known how to point the authentication to the customers cert that I have installed in the trust list on CPPM?



  • 4.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 07:15 AM
    Why do you have the endpoints repository as an auth source? That should be your identity store.


  • 5.  RE: EAP-TLS

    Posted Jun 20, 2018 07:21 AM

    Hi Tim,

     It wont let me leave it blank - is there something else that should be there instead?

    I'm hoping to auth against the cert in the trust list - have I uploaded the cert to the wrong location?



  • 6.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 07:23 AM
    So you don't want to validate that the user account  actually exists in your identity store?


  • 7.  RE: EAP-TLS

    Posted Jun 20, 2018 07:28 AM

    No I dont think so, the customer doesn't have any link to AD for the devices so its just a match for a valid certificate I guess. CPPM Is a replacement for NPS - not being an expert I don't fully understand what they were checking and they couldn't explain fully.



  • 8.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 07:36 AM
    Create a new EAP-TLS method with authorization disabled.


  • 9.  RE: EAP-TLS

    Posted Jun 20, 2018 07:52 AM

    Hi Tim,

       I've created and added that to the service and it has a different error in the Alert tab -

    [Endpoints Repository] - localhost: User not found.
    EAP-TLS: fatal alert by client - unknown_ca
    TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
    eap-tls: Error in establishing TLS session



  • 10.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 07:56 AM
    1) Remove all authentication sources.

    2) The client does not trust the EAP server certificate


  • 11.  RE: EAP-TLS

    Posted Jun 20, 2018 08:08 AM

    Hi Tim,

        I assume this means the ClearPass certificate? The user doesn't see any cert errors (perhaps they are not displayed). Should I get the user to install the CPPM cert in their trust list?



  • 12.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 08:10 AM
    Deploying certificates need to be carefully planned out and shouldn't be done with changes on the fly like this. Have you reached out to your Aruba partner?


  • 13.  RE: EAP-TLS

    Posted Jun 20, 2018 08:15 AM

    Hi Tim

      The client certs are already deployed, we are migrating the customer from NPS to CPPM. I am the Aruba partner, but none of the documentation on CPPM explains how to do what I've need to achieve here.



  • 14.  RE: EAP-TLS

    EMPLOYEE
    Posted Jun 20, 2018 08:22 AM
    The clients need to be configured to properly trust the EAP server certificate.


  • 15.  RE: EAP-TLS

    Posted Feb 10, 2024 08:28 AM

    I wish there was a step by step guide for those of us that haven't ever done eap-tls / cert based authentication with clearpass with apple / jamf. 

    All the guides I see are for AD bound devices and sadly that doesn't help :(




  • 16.  RE: EAP-TLS

    Posted Feb 12, 2024 12:48 PM

    We are going to use the certs & consulting services of SecureW2 to implement EAP/TLS in our large campus environment.  More to report over the next few months. 




  • 17.  RE: EAP-TLS

    MVP
    Posted Feb 13, 2024 07:49 AM

    We are already wuite a ways down that path with SecureW2. Since this is a little off-topic, competing with CPPM OnBoard, please reach out to me in a PM.



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------