Security

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Ok, I understand your issue better now but I have not been in the same situation and have not tried to implement the type of identifications you try to achive.

If the username in the certificate is in the form xyz@domain.fr you should also see the name in the Radius attributes.

Can you build your services in another way and instead of using several services depending on the domain the user is from have the same service for one SSID and assign different roles?

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Not 100% sure what you are asking but maybe this will help:

We have two different service policies - "Wireless 802.1X" (EAP-TLS) and "Wireless 802.1X TEAP"




The service is matched on the outer method (METHOD-1) of TEAP and comes across without a user-name/anonymous.  This is forced in Windows and has been for quite a while.  

Once the outer method is authenticated, it will try the inner method (METHOD-2).  When method-2 is authenticated it does not try to go through the service categorization again and will use the same CPPM service it used for method-1. 

This means that you can not create service rules to match on the method-2 information and only on the method-1 information.  Also, you will need to have it match on Radius:IETF:User-Name=anonymous

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Thank you for the answer. 

To be honest, I don't really understand the need of 2 methods here. I think the check on anonymous can be done in the second method before using TLS. Maybe I missed a point.

We get the answer from our MDM (Intune for naming it). They do configure outer-identity for EAP/PEAP and EAP/TTLS method, but they DO NOT let you configure it for EAP/TLS method. For this method, they use CN of the certificate for outer AND inner identity. There is no evolution to expect for this feature from Microsoft. After reading radius RFC, there is no obligation to use outer-identity.

=> I will address my problem by regrouping services for the same SSID.

Not 100% sure what you are asking but maybe this will help:

We have two different service policies - "Wireless 802.1X" (EAP-TLS) and "Wireless 802.1X TEAP"




The service is matched on the outer method (METHOD-1) of TEAP and comes across without a user-name/anonymous.  This is forced in Windows and has been for quite a while.  

Once the outer method is authenticated, it will try the inner method (METHOD-2).  When method-2 is authenticated it does not try to go through the service categorization again and will use the same CPPM service it used for method-1. 

This means that you can not create service rules to match on the method-2 information and only on the method-1 information.  Also, you will need to have it match on Radius:IETF:User-Name=anonymous

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

I think you should test on IETF:User-Name, not on Authentication:Full-Username. During the service categorization is the Authentication:Full-Username not available as it is only after authentication. Somewhere below there is a screenshot with IETF:User-Name in the service condition.

Hopefully you can test on the client supplied identity for your service categorization. Another option, as you mention a combination of EAP-TLS, EAP-PEAP (Deprecated!) and EAP-TTLS (also not always secure), you could put all three methods in the same service. Then do role mapping or enforcement based on the authentication method and/or authorization attributes.

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.

I did regroup services together, but It's impossible to do EAP-TLS + EAP TTLS and still have a token server configured in authentication sources. Maybe I missed a point here ?

ATM I still have one service for TLS and another for PEAP+TTLS. I tried to add a check on Authentication:Outer-Method EQUALS "EAP-TLS" but it didn't worked. Logs only show "EAP" in outer-Method.

Also, I made some testing and I always have the same value in Authentication:Username ; Authentication:Full-Username and IETF:Username. Even if I misconfigure my terminal to do EAP-PEAP MSCHAPv2 instead of GTC as intended. (I did that to be sure to have only outer-identity on clearpass side)

PS : I will try to disable PEAP, but it's maybe too early for some devices.

Best Regards,

I think you should test on IETF:User-Name, not on Authentication:Full-Username. During the service categorization is the Authentication:Full-Username not available as it is only after authentication. Somewhere below there is a screenshot with IETF:User-Name in the service condition.

Hopefully you can test on the client supplied identity for your service categorization. Another option, as you mention a combination of EAP-TLS, EAP-PEAP (Deprecated!) and EAP-TTLS (also not always secure), you could put all three methods in the same service. Then do role mapping or enforcement based on the authentication method and/or authorization attributes.

Hello, 

Thank you for your response.

We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

But I am looking for a way to do something like this :

I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.

Hi

I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:

Hello, 

We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

Does there is a documentation that describes in details what is :

• Authentication: Full-Username
• Authentication: Full-Username-Normalized
• Authentication: Username

or maybe it can be :

• RADIUS:IETF: User-Name

I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

PS : First post here. I will be glad to get any advice for the future ones.