Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TEAP - Authorization on both methods?

This thread has been viewed 23 times
  • 1.  TEAP - Authorization on both methods?

    Posted Aug 27, 2024 06:38 PM

    This is a hypothetical scenario for a new design I'm working on.

    I'm deploying TEAP with EAP-TLS for Windows 11 clients which are Intune managed and will be issued with both device and user certificates.

    The policy will allow the following:

    1) Machine only auth (TEAP Method 1) + Authorization with the Intune extension based on DeviceID in the certificate.

    2) Machine and User auth (TEAP Method 1 + TEAP Method 2) + Authorization of the user group membership based on UPN in the certificate.

    Questions:

    - Is there any way in ClearPass to perform authorization on both the machine AND user certificates (during an auth that happens during user login). It seems only the AuthZ attributes from the second TEAP method are available.

    - Is there even any additional security benefit in doing this?

    My thinking is you would want to make sure the user is DEFINITELY authenticating from the endpoint that has already authenticated.

    Additionally, if the Intune device went out of compliance it would be picked up by the next user auth, not just the next machine auth (which might not happen for a long time).

    One thing I considered was including the Intune DeviceID attribute as an additional SAN on the User Certificate.

    There is an obvious benefit to doing this for devices with a single cert (e.g. macOS, iOS/iPadOS, Android), but should it be considered for Windows 11 devices where there are 2 certificates?

    Keen to hear your thoughts :)



  • 2.  RE: TEAP - Authorization on both methods?

    Posted Aug 28, 2024 05:40 AM

    Hi

    With TEAP you already know that the user is authenticating from an authenticated machine as both authentications takes place at the same time. In your policy you can take the unlikely scenario there Method 1 fails and Method 2 is successful and deny access or assign the needed role. One possible cause for this could be an invalid machine certificate but a valid user certificate.

    I have seen a way to use the Method 1 username as search condition in an AD source, see this thread:

    https://community.arubanetworks.com/discussion/clearpass-authentication-using-eap-teap-eap-chaining-username-missing-method-1

    In this post it's described how to create a secondary AD source to search for the computer name and get authorization information for the computer as well.

    Should be possible to do the same also for Intune, but instead utilize the Intune Device ID for the computer.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: TEAP - Authorization on both methods?

    Posted Aug 28, 2024 06:59 AM

    Thanks Jonas,

    That looks like a great solution, but I'm not sure it will work since my Authorization source queries are based on the SAN fields of the certificate presented in TEAP method 1 and TEAP method 2.

    It looks like we can use the authentication username for Method 1, but perhaps not the other computed attributes?

    Cheers,

    Chris




  • 4.  RE: TEAP - Authorization on both methods?

    Posted Aug 29, 2024 06:04 AM

    What information do you plan to check during the authorization of the computer?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: TEAP - Authorization on both methods?

    Posted Aug 29, 2024 11:45 PM

    Specifically looking at Intune attributes (e.g. compliance status). We would query Intune using an HTTP AuthZ source using the DeviceID in the SAN field of the cert to query the Intune extension, which would query the Graph API.

    One possible solution is just to include the DeviceID cert as an additional SAN on the user cert.




  • 6.  RE: TEAP - Authorization on both methods?

    Posted Aug 30, 2024 02:07 AM

    Storing the information in the user certificate may be one of the simpliest ways to solve this.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: TEAP - Authorization on both methods?

    Posted Aug 30, 2024 02:13 AM

    That's what I was thinking - in theory the device ID in the user cert would always match the device ID in the device cert, since they would be generated at the same time.

    The only exception would be if the user could somehow export the user cert, but then they would be stuck without a successful TEAP Method 1 auth anyway.


    Can you think of any other potential downsides?




  • 8.  RE: TEAP - Authorization on both methods?

    Posted Aug 30, 2024 02:30 AM

    As you mention the verification of the device is done in TEAP Method 1 and if this isn't successful the request should be rejected. Maybe it's possible to move a user certificate from one device with a valid device certificate to another but in normal situations that's not possible.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------