Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OCSP certificate revocation

This thread has been viewed 23 times
  • 1.  OCSP certificate revocation

    Posted May 17, 2023 05:41 AM

    Hello,

    I am working on a new network design for a company (I am a student and currently in my internship). We want to create one SSID for BYOD and Corp devices to connect to. Currently, we have two (One for BYOD and one for Corp). The SSID for BYOD is a SSID that provides internet-only access to the devices that connect to the SSID, and the corp SSID provides more access than internet-only to domain/managed devices.

    So we want to combine these to SSID into one SSID where if a BYOD device connects using PEAP-MSCHAPv2, it gets a provisioning role and gets a certificate after successful provisioning to log in with and still get internet-only access. And for managed devices (currently connecting using PEAP-MSCHAPv2, but we are going to change it, so they all have certificates to connect with) get access to the internal network when they successfully authenticate on the network.


    I have been watching the workshop video's about Onboarding from the Airheads Broadcasting channel on Youtube and came along this video; "Aruba ClearPass Workshop - Onboard #5 - OCSP and certificate revocation - YouTube". Herman stated that 'you might want to use different services for certificate revocation for the AD user certificates and OnBoarding certificates'. How does this work and is it possible to combine this into one service instead of using two services?

    I have two more questions about how we want to configure the 'new' network;
    1. I can't find any benefits of using dual SSID for onboarding instead of using a single SSID, are there benefits of using dual SSID instead of one?
    2. We have multiple tenant's (multiple management locations; location 'a', location 'b' etc.) and every single tenant also has its own AD. What is the best way to configure Clearpass for this setup, using one CPPM for every tenant or using one CPPM for all the tenants? Are there any benefits of using one CPPM for every tenant?

    I hope someone can give their opinion about this and help me out,

    kind regards,

    Jer



  • 2.  RE: OCSP certificate revocation

    Posted May 17, 2023 06:21 AM

    add to my previous post ->

    'How does this work and is it possible to combine this into one service instead of using two services?'

    I saw on the internet that the OCSP url for the AD users is a different url then the OCSP url from the onboarding clients (when the onboarding CA is configured as root CA) Is there a way to connect the byod certificates, that are generated by the onboarding ca, to the AD so I only have to use one OCSP url in the [EAP-TLS with OCSP enabled] authentication source? So that I only have to use one service for both BYOD and domain devices?




  • 3.  RE: OCSP certificate revocation

    EMPLOYEE
    Posted May 17, 2023 07:17 AM

    The reason that single SSID is deprecated, has to do with:
    - some client devices don't like to setup the SSID over which someone is connected, this first happened with Android because the Android OS does not allow changing an existing network profile, which meant that during the onboarding process you had to manually delete the existing network before the process could continue. Other OSses now may have similar issues.
    - it's becoming harder for end users to configure PEAP-MSCHAPv2, and there is a risk that the AD credentials stay there, in an insecure configuration and ready to be collected by bad actors.
    In most cases, using the Guest SSID to onboard your clients is more convenient, has fewer issues, and does not require the AD account in the WLAN configuration.

    If you have multiple tenants, or multiple ADs, you could either use a single service if enforcement is similar, or you could create separate services and filter on the Username (does it include @domain-A or @domain-B, or you can use the NAS-IP or Network Device Group to select the right service. It really depends which is easier or better, having a separated service at least allow you to filter in Access Tracker on the Service name. But if you need access for all users, also on different tenant's networks, then a single service may be more convenient.

    The splitting of BYOD/Onboard and AD users could be done as well based on the username, if you make sure there is a detectable difference like using the @domain.local for Onboarding and email@domain.external for AD or vice-versa. Within a service you can have different EAP-TLS methods with or without OCSP override. If you have the OCSP URL in your certifcates, you can also rely on that and don't use the OCSP override at all.

    You can connect your Onboard to Active Directory Certificate Services, and pull your Onboard certs from there as well, this is not something I would recommend. I'd rather make sure you have the proper OCSP URL in the client certificate, in which case you don't need the override and the URL provided in the certificate is used for OCSP.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: OCSP certificate revocation

    Posted May 17, 2023 07:41 AM

    Thank you Herman for your realy quick response.

    So you would recommend using the guest SSID to start the onboarding for byod.

    'If you have multiple tenants, or multiple ADs, you could either use a single service if enforcement is similar, or you could create separate services and filter on the Username (does it include @domain-A or @domain-B, or you can use the NAS-IP or Network Device Group to select the right service. It really depends which is easier or better, having a separated service at least allow you to filter in Access Tracker on the Service name. But if you need access for all users, also on different tenant's networks, then a single service may be more convenient.'


    The only reason why I asked the question about the multi tenant cppm / one cppm for all the tenant is to find out if there are benefits of setting up a CPPM per tenant. Maybe it is for a better overview?

    'The splitting of BYOD/Onboard and AD users could be done as well based on the username, if you make sure there is a detectable difference like using the @domain.local for Onboarding and email@domain.external for AD or vice-versa. Within a service you can have different EAP-TLS methods with or without OCSP override. If you have the OCSP URL in your certifcates, you can also rely on that and don't use the OCSP override at all.'

    So I could add multiple EAP-TLS methodes with OCSP enabled (and then for example the OCSP url for byod certificates in the first and the url for AD certificates in the second)?

    So that my authentication methodes tab looks something like this;

    Example_EAP-TLS_With_OCSP_BYOD -> 'with OCSP url to BYOD stated in the config'

    Example_EAP-TLS_With_OCSP_DOMAIN -> 'with OCSP url to DOMAIN stated in the config'

    And what do you mean with OCSP URL in your certificates? If I have that enabled I don't need the EAP-TLS with OCSP but just EAP-TLS as authentication method?


    Kind regards,
    Jer




  • 5.  RE: OCSP certificate revocation
    Best Answer

    EMPLOYEE
    Posted May 17, 2023 09:01 AM

    Yes, I would not pick single SSID onboarding unless you have a good reason to do it, and the guest network is typically a good way to connect to your ClearPass and start Onboarding, or connect to the internet and use a mobile device management system to enroll your client.

    I indeed answered the question with a service per tenant instead of a ClearPass per tenant. ClearPass per tenant or shared ClearPass services across tenant depends on the situation. If the tenant 'owns' the ClearPass or if they need to have access to the admin side of ClearPass, using a dedicated ClearPass will probably make the most sense. Having one shared ClearPass and use separate services per tenant has typically the benefit that you can share investments in redundancy/capacity across multiple customers. There is no good or bad here, it just depends.

    You can have 1 EAP-TLS method per service, which suggests that if you need multiple EAP-TLS method that you would need to split them over multiple services.

    On the OCSP URL in your certificates, certificate usual have the CRL and OCSP location embedded in the certificate:
    So, if all your client certificates have the OCSP URL included, ClearPass can just use that to verify the validity of the certificate.
    It is just that if that URL is not there, or invalid/unreachable, that you can override the OCSP URL from the certificate, and for Onboard that is recommended to override it to http://127.0.0.1/xxxx such that the OCSP request always happens locally on the authenticating ClearPass, even in a cluster. But the 'normal' method is to use the OCSP information from the certificate, which is added in by the CA so can be trusted.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: OCSP certificate revocation

    Posted May 17, 2023 09:30 AM

    Thanks Herman,

    I understand it now!

    Kind regards,

    Jer




  • 7.  RE: OCSP certificate revocation

    Posted May 22, 2023 05:04 AM

    'Yes, I would not pick single SSID onboarding unless you have a good reason to do it, and the guest network is typically a good way to connect to your ClearPass and start Onboarding, or connect to the internet and use a mobile device management system to enroll your client.'

    After thinking about this solution I still have a question about the onboarding using two SSID's that you suggested. How secure is this? because when I see the onboarding workflow, the user needs to put their AD credentials on the captive portal to get access to the quick connect app install button. Is this secure even wehen you do this on your guest network? And what other benefits does using two SSID's have instead of using one other than that you have to delete the current network?




  • 8.  RE: OCSP certificate revocation

    EMPLOYEE
    Posted May 26, 2023 11:13 AM

    Yes, the full process is running over HTTPS, and this is also why you need valid and trusted HTTPS certificates on your ClearPass. It's as secure as users putting their password in another website. You can also use SAML/OAuth Single Sign On and use an external Identity Provider to put the actual AD credentials in (and enforce MFA, etc). That is described in the Onboard and Cloud Authentication Providers Tech Note. But the Onboarding process itself is fully HTTPS, so I would not see that as a risk to run it over a guest network on itself.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------