Security

 View Only
  • 1.  tls authentication work, but not work :)

    Posted Feb 26, 2024 08:05 AM
    Edited by andrea.armellini Feb 26, 2024 08:10 AM

    Hello

    I'm looking for help to get out of this problem that is bothering me.

    My scenario:

    We have clearpass used only for wifi connection. Wired connection doesn't have 802.1x

    User and machine authentication is done with windows active directory, using EAP TLS.

    Wifi policy profile are right configured in our gpo environment.

    User certificate is created using autoenrollment policy, from our internal CA.

    All works without problems, except in this scenario:

    If a pc is connected in 802.1x ssid and a user has never logged in the following events happens:

    • Before logging on, the PC is connected to WiFi, manages to perform machine authentication and receives a role based on the enforcement configured on clearpass. Normally it is quarantined and from the quarantine it can reach the domain controllers
    •  By being able to contact the domain controllers, the user is able to log on
    • The user profile is created and as soon as you get to the windows desktop, you notice that the wifi is not connected
    • If you try to connect to WiFi manually you receive the message: "You cannot connect because you need a certificate to access..."

    So I have this behavior: the PC is connected to the wifi correctly before logging on and is able to contact the domain controllers to create the user profile.
    At logon it should also create the user certificate through the policy, but this does not happen because the wifi is disconnected because a certificate is missing to access.

    If I connect the LAN cable and I do a gpupdate /force the user certificate is created and wifi start to work like a charm.

    Is there a way to generate the certificate via the wifi network, at user logon, without connecting the LAN cable?



  • 2.  RE: tls authentication work, but not work :)

    Posted Feb 26, 2024 09:03 AM

    This probably has to do with the client configuration. If you configured User + Computer Authentication, after the User logs on, the authentication will switch to User Authentication, which fails because there is no User certificate if the user signs in for the first time. And the computer cannot request a user certificate because it's not connected. For this reason, it's recommended to use computer authentication only with EAP-TLS.

    However, there are settings around Single Sign On in the Windows client configuration that control at what point the network switches from computer to user authentication, which may give a workable solution with EAP-TLS.

    The better options to have a look at is TEAP, which combines the computer and user authentication and allows scenarios where the computer authentication succeeds, but user authentication fails, that still access is provided, which then allows the user certificate to be requested and enrolled. 



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: tls authentication work, but not work :)

    Posted Feb 26, 2024 09:56 AM
    Edited by andrea.armellini Feb 26, 2024 09:56 AM

    Hi Herman

    Thank you for your answer

    I found this https://community.arubanetworks.com/discussion/tutorial-clearpass-authentication-using-eap-teap-eap-chaining that show a TEAP configuration scenario.

    I saw that configuration is done with MSCHAPv2 that is the reason why we move from EAP-PEAP to TLS, because our windows 11 clients with credentials guard enabled, stop working with wifi.....It's the only configuration or you can use other inner method different from MSCHAPv2?




  • 4.  RE: tls authentication work, but not work :)

    Posted Feb 26, 2024 11:14 AM

    Yes, you can run TLS as inner methods for TEAP. And indeed MSCHAPv2 should be avoided where possible.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: tls authentication work, but not work :)

    Posted Feb 28, 2024 05:43 AM
    Edited by andrea.armellini Feb 28, 2024 08:30 AM

    Hi Herman

    I configured TEAP with TLS and it seems to resolve the original problem, GREAT! User profile is created along with user certificate with the autoenrollment policy. Wifi connection is not cut as with EAP-TLS

    TEAP is configured to use method-2 to pass user-name in Access-Tracker, and it seems to work.

    In the guide there is this suggestion, but all it's working without forcing this configuration (in windows server 2022 and windows 11 you can't unflag "Enable identity privacy" too, the flag is no longer there

    Is there a way to have the pc hostname too? To avoid to have log with empty username like this:

    I get empty username at windows logon, and user username once user logged in.

    Update: the "anonymous" username is show in the controller.

    I created two enforcment profile, once with %{Authentication:TEAP-Method-1-Username} and other with %{Authentication:TEAP-Method-2-Username}

    Added them to enforcment rules in the service

    Now the controller show machine hostname during machine auth and user username when user auth is done




  • 6.  RE: tls authentication work, but not work :)

    Posted Mar 01, 2024 06:54 AM

    It's correct that disabling anonymous authentication is no longer possible, but by returning the %{Authentication:TEAP-Method-1-Username} for failed TEAP-Method-2 and %{Authentication:TEAP-Method-2-Username} for successful Method-2, is indeed the way to get around this.

    Video has been outdated by the time... but it's not easy to change just that part of a video.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: tls authentication work, but not work :)

    Posted Mar 01, 2024 07:57 AM
      |   view attached

    I'm struggling with the domain gpo. What works for windows 11 does not work for windows 10 and viceversa.

    I tried to export the network profile from the notebooks and replacing the EAP config XML with the gpo as explain in the attached HPE Aruba Teap Configuration manual.

    I think I will have to create 2 different policies and use the wmi filters to apply to windows 10 and windows 11 respectively

    Have you also experienced this configuration difference between w10 and w11?

    In other forum i found this suggestion "Removing the references to root certificates to get the GPO to "work" on Windows 10 was found in a Cisco discussion group. So this is a known problem."

    And it's true, this is working with w10, but not with w11 (that without reference to root certificate continue to ask to approve certificate before connecting)