Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

[Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

This thread has been viewed 51 times
  • 1.  [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Jan 29, 2024 12:27 PM

    Hello, 

     

    We want to use outer-identity (aka Anonymous identity, in Android OS, for example) in the clearpass service conditions to address the RADIUS request of Wi-Fi clients certified by our private PKI.

    We use the same SSID for different types of mobile devices. Some of these use EAP-TLS to authenticate based on private PKI. Other clients can access to the same SSID using EAP/GTC or EAP/TTLS methods. All of these clients are profiled and get access to different VLANs.

    We planned to deploy others' private PKI, so we can't just filter it by checking if "Authentication:InnerMethod EQUALS EAP-TLS".

     

    I have seen in another post that "Authentication:Full-Username" does the job, but without any precision, so I'm not sure. Clearpass 802.1X outer identity | Security (arubanetworks.com)

    I also looked at Policy Manager User Guide (arubanetworks.com) but didn't find sufficient information there.

     

    Does there is a documentation that describes in details what is :

    • Authentication: Full-Username
    • Authentication: Full-Username-Normalized
    • Authentication: Username

    or maybe it can be :

    • RADIUS:IETF: User-Name

     

    I'm planning to try it on IQ environment, and I'm mostly looking for documentation that can help me better target the settings that I need.

    PS : First post here. I will be glad to get any advice for the future ones.



    ------------------------------
    Antoine PERNON
    ------------------------------


  • 2.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Jan 30, 2024 04:52 AM

    Hi

    I don't know if it's a good idea to utilize the outer identity as this field have started to become mandatory set to Anonymous on some client types, like newer versions of Windows 11. A better way to distinguis the clients is to look at the issuing CA. Someting like this:



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Jan 30, 2024 09:44 AM

    Hello, 

    Thank you for your response.

    We are not trying to do role mapping rules but service categorization conditions. (Sorry if I make it unclear at first post).

    We have 2 different services in ClearPass to address clients using EAP-TLS and clients using EAP-PEAP or EAP-TTLS on the same SSID. Maybe this is our problem and I need to regroup them.

    But I am looking for a way to do something like this :

    service categorization

    I do think it's the right way to do it, but with the lack of documentation around these attributes, I'm not 100% sure.

    We already RUN in production a configuration looking like the screenshot. I investigate service categorization failure for clients' requests configured by a new MDM.

    It's possible that we have an issue with the MDM : The string expected as inner-identity is shown in ClearPass Access logs in the Authentication:Full-Username ; Authentication:Full-Username-Normalized and RADIUS:IETF:Username computed attributes. All with the same value. We never see in ClearPass Access logs the string expected for outer-identity.



    ------------------------------
    Best Regards,
    Antoine PERNON
    ----------------------------------------------
    Aruba Certified Edge Professional
    ACP - ACMP - ACCA
    ------------------------------



  • 4.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Jan 30, 2024 10:30 AM

    Ok, I understand your issue better now but I have not been in the same situation and have not tried to implement the type of identifications you try to achive.

    If the username in the certificate is in the form xyz@domain.fr you should also see the name in the Radius attributes.

    Can you build your services in another way and instead of using several services depending on the domain the user is from have the same service for one SSID and assign different roles?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Jan 31, 2024 04:29 AM

    We opened a case at the MDM and if this is actually the issue I will come back here and update the post.

    Otherwise, I will rework our services to match 1 service per SSID.

    Thanks again for your answers.



    ------------------------------
    Best Regards,
    Antoine PERNON
    ----------------------------------------------
    Aruba Certified Edge Professional
    ACP - ACMP - ACCA
    ------------------------------



  • 6.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Feb 01, 2024 08:58 AM

    Not 100% sure what you are asking but maybe this will help:

    We have two different service policies - "Wireless 802.1X" (EAP-TLS) and "Wireless 802.1X TEAP"




    The service is matched on the outer method (METHOD-1) of TEAP and comes across without a user-name/anonymous.  This is forced in Windows and has been for quite a while.  

    Once the outer method is authenticated, it will try the inner method (METHOD-2).  When method-2 is authenticated it does not try to go through the service categorization again and will use the same CPPM service it used for method-1. 

    This means that you can not create service rules to match on the method-2 information and only on the method-1 information.  Also, you will need to have it match on Radius:IETF:User-Name=anonymous




  • 7.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Feb 05, 2024 05:37 AM

    Thank you for the answer. 

    To be honest, I don't really understand the need of 2 methods here. I think the check on anonymous can be done in the second method before using TLS. Maybe I missed a point.


    We get the answer from our MDM (Intune for naming it). They do configure outer-identity for EAP/PEAP and EAP/TTLS method, but they DO NOT let you configure it for EAP/TLS method. For this method, they use CN of the certificate for outer AND inner identity. There is no evolution to expect for this feature from Microsoft. After reading radius RFC, there is no obligation to use outer-identity.

    => I will address my problem by regrouping services for the same SSID.



    ------------------------------
    Best Regards,
    Antoine PERNON
    ----------------------------------------------
    Aruba Certified Edge Professional
    ACP - ACMP - ACCA
    ------------------------------



  • 8.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Feb 05, 2024 09:36 AM

    To be honest, I don't really understand the need of 2 methods here. I think the check on anonymous can be done in the second method before using TLS. Maybe I missed a point.

    Not sure what you are asking/stating here.  Can you clarify? 

    We have two different services in CPPM for EAP-TEAP (EAP-TLS+EAP-TLS) and EAP-TLS.  I tried to put EAP-TEAP and EAP-TLS in the same service but didn't work correctly.




  • 9.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    EMPLOYEE
    Posted Feb 12, 2024 11:33 AM

    I think you should test on IETF:User-Name, not on Authentication:Full-Username. During the service categorization is the Authentication:Full-Username not available as it is only after authentication. Somewhere below there is a screenshot with IETF:User-Name in the service condition.

    Hopefully you can test on the client supplied identity for your service categorization. Another option, as you mention a combination of EAP-TLS, EAP-PEAP (Deprecated!) and EAP-TTLS (also not always secure), you could put all three methods in the same service. Then do role mapping or enforcement based on the authentication method and/or authorization attributes.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 10.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    Posted Feb 16, 2024 12:09 PM

    I did regroup services together, but It's impossible to do EAP-TLS + EAP TTLS and still have a token server configured in authentication sources. Maybe I missed a point here ?

    ATM I still have one service for TLS and another for PEAP+TTLS. I tried to add a check on Authentication:Outer-Method EQUALS "EAP-TLS" but it didn't worked. Logs only show "EAP" in outer-Method.

    Also, I made some testing and I always have the same value in Authentication:Username ; Authentication:Full-Username and IETF:Username. Even if I misconfigure my terminal to do EAP-PEAP MSCHAPv2 instead of GTC as intended. (I did that to be sure to have only outer-identity on clearpass side)

    PS : I will try to disable PEAP, but it's maybe too early for some devices.

    Best Regards,



    ------------------------------
    Best Regards,
    Antoine PERNON
    ----------------------------------------------
    Aruba Certified Edge Professional
    ACP - ACMP - ACCA
    ------------------------------



  • 11.  RE: [Wi-Fi] [EAP-TLS] [ClearPass] Select Services by Checking Name of SSID + Outer Identity

    EMPLOYEE
    Posted Feb 19, 2024 03:05 AM

    The thing is that the EAP method is negotiated after the service is selected. So you can't select the service based on EAP-TLS for that reason. I never used token server for 802.1X (also I missed that you configured that), also because it suggests a changing password, which is quite cumbersome in end-user experience.

    Best would be if you can filter based on the username, as that is available in the first RADIUS packet. If your PEAP uses the SAMAccountName (Windows username) and EAP-TLS uses the e-mail or UPN (user@domain.name), then you could use that to select the service. If you really can't filter on the username, it's hard to find something that works under all circumstances. It may help to arrange some interactive brainstorm while checking the logs to find differences in the initial RADIUS request to see if there is a possibility to separate the requests out to different services.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------