View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Scepman + Clearness EAP-TEAP

This thread has been viewed 20 times
  • 1.  Scepman + Clearness EAP-TEAP

    Posted 30 days ago

    Hello Guys,

    I want some clarification on how EAP-TEAP works in the authentication process and not taking advantages of a bug. I was presenting my implementation to my boss and turned out my assumption about how the authentication works is wrong. 

    I am using Intune connector to sync to the endpoint repository in Clearpass.

    I thought I was only synced device attributes. Here is my attributes:

    But when I get connected the logs shows:INFO RadiusServer.Radius - rlm_sql: found user *** in Local:localhost

    Which is my endpoint sql source. I just want to know how that is possible. 

    My theory is that EAP-TLS just look at the cert on the computer and retrieve the username and skip authentication. But that is not true I think.


    For all your help. 

  • 2.  RE: Scepman + Clearness EAP-TEAP

    Posted 30 days ago

    You do not need Endpoint Repository under authentication source for TEAP workflow. Your assumption is correct that for TEAP / EAP-TLS auth, only the cert is validated and there is no need for an auth source. In the TEAP / EAP-TLS auth method config if you have authorization enabled, it will however do a lookup against auth sources to check of the user name exists.

    If you want to do a secondary authorization lookup to check if the CN of the cert / username exists in AD / Azure AD, you can add appropriate auth source. If you don't care about this step and just need basic cert validation, you don't need any auth sources, but the UI will require you to have some auth source in there. Can you add maybe the [Local User Repository] or [Admin User Repository] instead.

  • 3.  RE: Scepman + Clearness EAP-TEAP

    Posted 30 days ago

    Hey @mattAruba,

    If I choose any other source it fails because I have authorization enable in my method. But if I disable authorization in the Authentication Methods tab, it works as expected. 

    So if I am understanding this correctly, the UI makes you put a source in there but it is not a requirement. 

    My next troubleshooting would be to revoke a user cert and see if I can get on the wifi. 


  • 4.  RE: Scepman + Clearness EAP-TEAP

    Posted 30 days ago

    It is not a hard requirement for EAP-TLS workflows. In this case I would do as you did. Disable authorization in the method and put some dummy source as auth source. Doing the authorization provides additional layer of security though like if a user account is disabled in AD but the cert is still valid, doing a lookup and checking for account status ensures that only valid users are connecting.