Security

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?

This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 08:04 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?

Hi Herman

Thank you for your answer

I found this https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining that show a TEAP configuration scenario.

I saw that configuration is done with MSCHAPv2 that is the reason why we move from EAP-PEAP to TLS, because our windows 11 clients with credentials guard enabled, stop working with wifi.....It's the only configuration or you can use other inner method different from MSCHAPv2?

Original Message:
Sent: Feb 26, 2024 09:02 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 08:04 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?

Yes, you can run TLS as inner methods for TEAP. And indeed MSCHAPv2 should be avoided where possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 09:55 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hi Herman

Thank you for your answer

I found this https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining that show a TEAP configuration scenario.

I saw that configuration is done with MSCHAPv2 that is the reason why we move from EAP-PEAP to TLS, because our windows 11 clients with credentials guard enabled, stop working with wifi.....It's the only configuration or you can use other inner method different from MSCHAPv2?

Original Message:
Sent: Feb 26, 2024 09:02 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 08:04 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?

Hi Herman

I configured TEAP with TLS and it seems to resolve the original problem, GREAT! User profile is created along with user certificate with the autoenrollment policy. Wifi connection is not cut as with EAP-TLS

TEAP is configured to use method-2 to pass user-name in Access-Tracker, and it seems to work.

In the guide there is this suggestion, but all it's working without forcing this configuration (in windows server 2022 and windows 11 you can't unflag "Enable identity privacy" too, the flag is no longer there

Is there a way to have the pc hostname too? To avoid to have log with empty username like this:

I get empty username at windows logon, and user username once user logged in.

Update: the "anonymous" username is show in the controller.

I created two enforcment profile, once with %{Authentication:TEAP-Method-1-Username} and other with %{Authentication:TEAP-Method-2-Username}

Added them to enforcment rules in the service

Now the controller show machine hostname during machine auth and user username when user auth is done

Original Message:
Sent: Feb 26, 2024 11:14 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

Yes, you can run TLS as inner methods for TEAP. And indeed MSCHAPv2 should be avoided where possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 09:55 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hi Herman

Thank you for your answer

I found this https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining that show a TEAP configuration scenario.

I saw that configuration is done with MSCHAPv2 that is the reason why we move from EAP-PEAP to TLS, because our windows 11 clients with credentials guard enabled, stop working with wifi.....It's the only configuration or you can use other inner method different from MSCHAPv2?

Original Message:
Sent: Feb 26, 2024 09:02 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 08:04 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?

It's correct that disabling anonymous authentication is no longer possible, but by returning the %{Authentication:TEAP-Method-1-Username} for failed TEAP-Method-2 and %{Authentication:TEAP-Method-2-Username} for successful Method-2, is indeed the way to get around this.

Video has been outdated by the time... but it's not easy to change just that part of a video.

Hi Herman

I configured TEAP with TLS and it seems to resolve the original problem, GREAT! User profile is created along with user certificate with the autoenrollment policy. Wifi connection is not cut as with EAP-TLS

TEAP is configured to use method-2 to pass user-name in Access-Tracker, and it seems to work.

In the guide there is this suggestion, but all it's working without forcing this configuration (in windows server 2022 and windows 11 you can't unflag "Enable identity privacy" too, the flag is no longer there

Is there a way to have the pc hostname too? To avoid to have log with empty username like this:

I get empty username at windows logon, and user username once user logged in.

Update: the "anonymous" username is show in the controller.

I created two enforcment profile, once with %{Authentication:TEAP-Method-1-Username} and other with %{Authentication:TEAP-Method-2-Username}

Added them to enforcment rules in the service

Now the controller show machine hostname during machine auth and user username when user auth is done

Original Message:
Sent: Feb 26, 2024 11:14 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

Yes, you can run TLS as inner methods for TEAP. And indeed MSCHAPv2 should be avoided where possible.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 09:55 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hi Herman

Thank you for your answer

I found this https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining that show a TEAP configuration scenario.

I saw that configuration is done with MSCHAPv2 that is the reason why we move from EAP-PEAP to TLS, because our windows 11 clients with credentials guard enabled, stop working with wifi.....It's the only configuration or you can use other inner method different from MSCHAPv2?

Original Message:
Sent: Feb 26, 2024 09:02 AM
From: Herman Robers
Subject: tls authentication work, but not work :)

This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Feb 26, 2024 08:04 AM
From: andrea.armellini
Subject: tls authentication work, but not work :)

Hello

I'm looking for help to get out of this problem that is bothering me.

My scenario:

We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

User and machine authentication is done with windows active directory, using EAP TLS.

Wifi policy profile are right configured in our gpo environment.

User certificate is created using autoenrollment policy, from our internal CA.

All works without problems, except in this scenario:

If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

• Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
•  By being able to contact the domain controllers, the user is able to log on
• The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
• If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?