Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

User certificate problem - 8021x Clearpass

This thread has been viewed 41 times
  • 1.  User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 08:26 AM
    Hello everyone,

    I have a small problem with 8021x, i.e.:
    I authenticate my clients by user and computer certificate.
    In the wireless network, everything works as it should, no matter how the supplicant is set (user/computer, user or computer), in cpass access tracer I see reflections of user or computer asd@domain.com or host/xyz
    (in the certificate I use EKU client auth 1.3.6.1.5.5.7.3.2)

    On the other hand, in a wired network, this is not the case anymore, i.e. only the computer's certificate works, and I would like to see in the logs (access tracer) who logged in (i.e. the user's certificate)
    When I set the supplicant to "user authentication", no events appear in the access tracer.
    The Windows error log shows that the Client has not presented its certificate.

    Maybe someone will tell me what the certificate for a user for a wired network should look like, or what could be the cause of such an error.
    On the Microsoft website I read that it must be defined in the certificate EKU 1.3.6.1.5.5.7.3.14 eapOverLAN - unfortunately it still does not work

    I'll be grateful for any hints.
    Thank you in advance
    Regards :)


  • 2.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 08:53 AM
    This sounds like a client problem.  Are your wired settings EXACTLY the same as wireless on the supplicant?  Same trusted CAs?  Same EAP types, etc?


  • 3.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 09:16 AM
    This is the same computer with user and computer certificate,
    Supplicant set the same on wired and wireless networks.
    EAP TLS and PEAP.


  • 4.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 09:38 AM
    EAP TLS and PEAP?  What you mean?  Are you using EAP-TLS for computer auth and PEAP for user auth?


  • 5.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 10:06 AM
    My mistake, eap peap and tls I have defined in the Clearpass service as an authentication method, client and computer only use TLS certificate.


  • 6.  RE: User certificate problem - 8021x Clearpass

    EMPLOYEE
    Posted Dec 06, 2022 11:34 AM
    I've never had to change the EKU to anything else than Client Authentication. Are you sure that the user that tries to sign in has a valid User certificate? If the certificate works on wireless, it works on wired as well and vice versa. But I may learn something new.

    What does Access Tracker (the Alerts tab) tell you about this authentication that fails?

    Did you change anything on the client/supplicant on the certificate selection?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 11:50 AM
    The certificate is valid because I use it to authenticate myself in the wireless network and it can be seen in the access tracer - ACCEPT, after which I get the appropriate role and vlan.
    Unfortunately, when I try to authenticate myself in the network (the supplicant is set the same as in the wireless network), nothing appears in the access tracer.
    I checked the widnows system logs and it looks as if it does not present itself with a certificate for some reason,
    I also tried to collect logs from CPASS but without success.

    Default supplicant, certificate authentication - tls, authentication mode - user authentication.
    When I change to computer authentication everything works fine...


  • 8.  RE: User certificate problem - 8021x Clearpass

    Posted Dec 06, 2022 12:10 PM
    or maybe it's a problem with the configuration of the switch,
    for this it uses HP5120 comware 5 switches

    interface configuration:
    port link-type hybrid
    undo port hybrid vlan 1
    port hybrid vlan 111 untagged
    mac-vlan enable
    stp edge-port enable
    mac-authentication host-mode multi-vlan
    port-security port-mode userlogin-secure
    dot1x re-authenticate
    dot1x auth-fail vlan 1111
    undo dot1x handshake
    undo dot1x multicast-trigger

    but on the other hand, the machine's certificate works... there is only a problem with the user's certificate...


  • 9.  RE: User certificate problem - 8021x Clearpass

    EMPLOYEE
    Posted Dec 08, 2022 07:51 AM
    If you don't see anything in Access Tracker, it's very likely that there is no authentication happening. If you configured your client to do EAP-TLS, it may be smart enough to fully skip authentication which could be the reason that you don't see anything in Access Tracker.

    Indeed weird that it works with the computer certificate and works with user certificate as well on WLAN, just not on wired.

    What I would do is verify (packet capture/port mirror) if the client is sending EAPoL traffic, if it is not, I would try with another client certificate to find out if it is something generic or certificate specific. In the Windows supplicant you could also disable 'automatic certificate selection' and put in the certificate selection criteria like purpose and issuing CA. If it is more specific that may help your client to select the certificate.

    If you have a partner, or can work with Aruba TAC, they may be able to test with your certificates in a different environment. It's hard to troubleshoot here without having access to the certificates.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------