Security

 View Only
last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Wired Authentication with EAP-TTLS not working

This thread has been viewed 39 times
  • 1.  Wired Authentication with EAP-TTLS not working

    Posted Apr 17, 2023 01:59 AM

    Hi Folks,

    Just looking for some guidance as to what I am getting wrong.

    Windows client tries to autehnticate and gets the following error:


    Not picking up auth source.


    Windows client:

    Are there a few things I have missing?
    Does anyone have any docs or guides I can make ref to for end-end?



  • 2.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 17, 2023 08:35 AM

    What is under the Alerts tab?  Why use EAP-TTLS?  Looks like the supplicant is configured for TEAP?




  • 3.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 03:00 AM

    I dont have an option for EAP-TEAP on my clearpass as auth method.
    Am i missing something?




  • 4.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 03:08 AM

    Hi

    You have to add the TEAP method manually.


    Select the user name to display in Access Tracker:

    Add EAP-TLS as the Inner method



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 03:53 AM

    Thanks Jonas,

    Did that but still got the below:


    Would I be missing anything else? I installed domain root cert on client PC already.
    Do I need to install any other certs ?




  • 6.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 04:09 AM

    Hi

    What is the error message under the Alerts tab?

    EAP-TEAP for sure have benefits over EAP-TLS as you get the authentication of both the Windows computer and the user in the same auth request. But it can be a bit more challanging to configure the first time.
    EAP-TLS is easier to configure, in Windows you don't select EAP-TLS instead the drop down have text "Microsoft: Smart card or other certificate".
    If you intend to authenticate both computer and user, stay with TEAP. If only computer is enough you can also try to use EAP-TLS.

    Is the Radius certificate issued by the same CA as the client certificate, or at least under the same root?



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 20, 2023 02:07 AM


    This is the alerts for TEAP


    As per the "Microsoft: Smart card or other certificate" (EAP-TLS on CCPM), it does not even hit clearpass service.



    Would there be any reason why it isn't hitting the service when change to EAP-tls?
    It doesnt look like it even sent it through to cppm as it it dropped almost immediately.




  • 8.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 20, 2023 02:09 AM

    Clearpass for EAP-TLS




  • 9.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 22, 2023 10:47 PM

    Hi Jonas,

    Got it working now.
    Using EAP-PEAP.
    One thing I missed weas not having my PC join the domain, hence DC was not seeing it in its object for use for authentication with clearpass policies.

    I will mock arround with other methods and see if I can get them working.

    Would you say from experience EAP-MSCHAP is the way to go for these deployments or EAP-PEAP?
    EAP-TEAP seems to be very complex and difficult to deploy via GPO




  • 10.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 22, 2023 10:53 PM
    TEAP with EAP-TLS with inner method for both user and computer is the most secure. EAP-TLS with machine or user certificates is next. Finally PEAP is least secure since it is username/password based and does not certificates for client auth.




  • 11.  RE: Wired Authentication with EAP-TTLS not working
    Best Answer

    Posted May 09, 2023 11:01 PM

    Hi @jonas.hammarback ,

    Got it working using
    eap-peap - eap-mschap-v2 authentication
    eap-ttls - eap-mschapv2 authentication
    PC joined to domain.
    Successful authentication with machine auth
    Thanks heaps for guiding me through it.






  • 12.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 07:37 AM
    6.10 and above support TEAP




  • 13.  RE: Wired Authentication with EAP-TTLS not working

    Posted Apr 18, 2023 03:45 AM

    Do you know of a better method to use for as auth method?