Security

Hello Guys,

I want some clarification on how EAP-TEAP works in the authentication process and not taking advantages of a bug. I was presenting my implementation to my boss and turned out my assumption about how the authentication works is wrong. 

I am using Intune connector to sync to the endpoint repository in Clearpass.

I thought I was only synced device attributes. Here is my attributes:

But when I get connected the logs shows:INFO RadiusServer.Radius - rlm_sql: found user *** in Local:localhost

Which is my endpoint sql source. I just want to know how that is possible. 

My theory is that EAP-TLS just look at the cert on the computer and retrieve the username and skip authentication. But that is not true I think.

Thanks 

For all your help. 

You do not need Endpoint Repository under authentication source for TEAP workflow. Your assumption is correct that for TEAP / EAP-TLS auth, only the cert is validated and there is no need for an auth source. In the TEAP / EAP-TLS auth method config if you have authorization enabled, it will however do a lookup against auth sources to check of the user name exists.

If you want to do a secondary authorization lookup to check if the CN of the cert / username exists in AD / Azure AD, you can add appropriate auth source. If you don't care about this step and just need basic cert validation, you don't need any auth sources, but the UI will require you to have some auth source in there. Can you add maybe the [Local User Repository] or [Admin User Repository] instead.

Hello Guys,

I want some clarification on how EAP-TEAP works in the authentication process and not taking advantages of a bug. I was presenting my implementation to my boss and turned out my assumption about how the authentication works is wrong. 

I am using Intune connector to sync to the endpoint repository in Clearpass.

I thought I was only synced device attributes. Here is my attributes:

But when I get connected the logs shows:INFO RadiusServer.Radius - rlm_sql: found user *** in Local:localhost

Which is my endpoint sql source. I just want to know how that is possible. 

My theory is that EAP-TLS just look at the cert on the computer and retrieve the username and skip authentication. But that is not true I think.

Thanks 

For all your help. 

Hey @mattAruba,

If I choose any other source it fails because I have authorization enable in my method. But if I disable authorization in the Authentication Methods tab, it works as expected. 

So if I am understanding this correctly, the UI makes you put a source in there but it is not a requirement. 

My next troubleshooting would be to revoke a user cert and see if I can get on the wifi. 

Thanks.

You do not need Endpoint Repository under authentication source for TEAP workflow. Your assumption is correct that for TEAP / EAP-TLS auth, only the cert is validated and there is no need for an auth source. In the TEAP / EAP-TLS auth method config if you have authorization enabled, it will however do a lookup against auth sources to check of the user name exists.

If you want to do a secondary authorization lookup to check if the CN of the cert / username exists in AD / Azure AD, you can add appropriate auth source. If you don't care about this step and just need basic cert validation, you don't need any auth sources, but the UI will require you to have some auth source in there. Can you add maybe the [Local User Repository] or [Admin User Repository] instead.

Hello Guys,

I want some clarification on how EAP-TEAP works in the authentication process and not taking advantages of a bug. I was presenting my implementation to my boss and turned out my assumption about how the authentication works is wrong. 

I am using Intune connector to sync to the endpoint repository in Clearpass.

I thought I was only synced device attributes. Here is my attributes:

But when I get connected the logs shows:INFO RadiusServer.Radius - rlm_sql: found user *** in Local:localhost

Which is my endpoint sql source. I just want to know how that is possible. 

My theory is that EAP-TLS just look at the cert on the computer and retrieve the username and skip authentication. But that is not true I think.

Thanks 

For all your help.