Aruba Apps

 View Only
  • 1.  **Need help!!! with ClearPass authenticating Red Hat Linux laptop.

    Posted Feb 04, 2021 11:24 AM
      |   view attached
    Good morning,
       We have been having a terribly difficult time trying to authenticate Red Hat Linux laptop with the ClearPass appliance.   
    It appears that in order to authenticate certificates, one must use TLS for certificate authentication.  

      Based upon the attachment (please see attachment), it is requesting two certificate fields:
    - User certificate 
    - CA certificate  <-- is this an internal root certificate?  Isn't that dangerous putting the entire agency's root certificate on a measly laptop?????

    Also, not sure why it is also asking for an "identity" in one of the fields as well.  Please see attachment. 

    Just to confirm, does the RedHAT laptop require a internal Root certificate as well as the client certificate together to work? In the Microsoft world, only a client certificate is needed and it authenticates to the internal root certificate on the AD server.

    I'm alittle bit concerned that an internal Root certificate is required to be installed on a laptop....  I believe the internal root certificate is an extremely sensitive certificate that shouldn't be installed on a laptop where it can be stolen or used for nefarious purposes.  

    Why is RedHat requiring both certificates?

    In addition, I am also seeing the error: EAP-PEAP: fatal alert by client - unknown_ca TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca eap-tls: Error in establishing TLS session.

    Its been extremely difficult getting or finding anytype of information on how RedHAT can authenticate with Linux.  Any recommendations or assistance would be enormously appreciated on getting this to work!!!

    I've been seeing lots of inquiries and issues with Linux working with ClearPass.  Please help.  Thanks.

    Regards,

     Wes

    ------------------------------
    Wes Chang
    ------------------------------

    Attachment(s)



  • 2.  RE: **Need help!!! with ClearPass authenticating Red Hat Linux laptop.

    Posted Feb 05, 2021 06:48 AM
    The configuration should be done similarly to other operating systems, but the terminology may be slightly different.

    Yes, you should install the root CA certificate that issued your RADIUS EAP certificate to the client. Installing the CA certificate is not a risk, as you should just install the certificate, not the private key. With that root certificate, the client can just validate the EAP server (RADIUS server) during the authentication and it will prevent communication to another (rogue/malicious) server.

    The user certificate in the configuration is the EAP-TLS client certificate for that client, that one of course needs to have a private key with it.
    Identity is the username tied to that certificate. Many other clients automatically take the identity from the certificate, which your client may do if you (can) leave the field empty, otherwise fill in the username to be used.

    One of the things with Linux is that there are many flavors and all seem to be different on this point. RedHat Enterprise 5.x and up is supported for ClearPass Onboard which will automate the enrollment of a client certificate, as well as the configuration you are now struggling with. You may have a look at that option.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: **Need help!!! with ClearPass authenticating Red Hat Linux laptop.

    Posted Feb 07, 2021 03:16 PM
    Herman,  Thank you so much for clarifying my issue.  Very much appreciated!  Thank you!  :)

    ------------------------------
    Wes Chang
    ------------------------------