Security

 View Only
  • 1.  OnBoard Default Auth Types

    Posted Aug 01, 2016 04:46 PM

    What is the reasoning behind OnBoard by default using PEAP without Fast Reconnect?



  • 2.  RE: OnBoard Default Auth Types

    Posted Aug 01, 2016 05:06 PM
    Onboard should default to EAP-TLS, not PEAP.


  • 3.  RE: OnBoard Default Auth Types

    Posted Aug 01, 2016 05:34 PM

    Yes, the wizard creates a service with the first Auth Type as EAP-TLS with OCSP.  The second is PEAP without fast reconnect enabled.

     

    Why PEAP without fast reconnect rather than with?



  • 4.  RE: OnBoard Default Auth Types
    Best Answer

    Posted Aug 01, 2016 05:36 PM

    Fast connect is a security hole considered by most security teams. So the decision was made to default with it disabled. 



  • 5.  RE: OnBoard Default Auth Types

    Posted Aug 02, 2016 11:43 AM

    Interesting.  Do you by chance have any examples of this documented anywhere?  My Google fu is failing me on this subject.

     

    My understanding of the fast reconnect feature is that it is there to provide quicker authentication when roaming from NAD to NAD when properly configured against the same NAS.  If the environment is all Aruba mobility controllers, does fast reconnect even provide a benefit?



  • 6.  RE: OnBoard Default Auth Types

    Posted Aug 02, 2016 11:47 AM
    11r is the suitable secure replacement.

    Are you having issues in your deployment without fast reconnect?


  • 7.  RE: OnBoard Default Auth Types

    Posted Aug 02, 2016 11:52 AM

    No, just trying to understand why CPPM creates the service the way it does.  The documentation and associated comments on this subject appears to be nil.

     



  • 8.  RE: OnBoard Default Auth Types

    Posted Aug 02, 2016 11:57 AM
    It's not a ClearPass feature so you likely won't find any documentation on it. You can find a complete explanation of PEAP and related features on TechNet.

    Also keep in mind that the Onboard service generated by the wizard is designed for single SSID onboard so PEAP would only be used for the first authentication so Fast Connect would never be used anyway.


  • 9.  RE: OnBoard Default Auth Types

    Posted Aug 02, 2016 12:06 PM

    Yes, I know that PEAP is Microsoft but that wasn't the documentation I was referring to.  I'm just trying to find something on why CPPM wizards set some of the options like they do.

     

    PEAP would be first authentication for devices destined for OnBoard but the customer might not be interested in buying OnBoard licenses for every device they have on the network.