Security

Hello Airheads,

 

We are running aruba 7240 controllers, and clearpass as radius server.

We are going to deploy a new SSID, where two types of devices shall be able to authenticate:

• 802.1x EAP-TLS Machine certificate authentication for domain joined laptops (internal CA)
• 802.1x EAP-TLS Client certificate from MS Intune (internal CA)

These two client types obtains their certificate from different internal certificate authoroties. The domain joined laptops, are of course in our active directory, while the devices "onboarded" in microsoft intune, is not.

 

What is the best way to configure clearpass policies for this setup? 

I am thinking about using a OCSP check against the CA for authorizing the intune devices, is that even possible?

Both certs are issued from the same CA?

Hello Tim,

No the certs are issued from two different CA servers, one for domain computers, and one for MS Intune devices.

OCSP is used for real-time status checking. This would be the equivalent of a password check. This should be done in all cases, regardless of the CA.

 

Since you have two CA's, you can use the certificate's issuing CA as part of your policy. It's difficult to go into any more detail without any information about your end goal w.r.t. policy enforcement.

Seems like im on the right track then.

At the moment, I am only focusing on the Intune devices, and one of the CA's.

This is a screenshot of the service I have created, for using EAP-TLS and OCSP to check if the device certificate is valid.

Is this correctly configured, or am I missing something? Do I need the CA as a authentication source as well?

 

 

Do the certs not have the OCSP URL embedded in the AIA attribute? You generally don't want to override the URL in the EAP method if it's available in the certificate.

 

You can also remove the strip rules as they don't apply here.

Hello, old post, but I'm hoping you may be able to assist. I'm working with a client on a similar deployment, using Intune devices with a dedicated CA. My knowledge of Intune is very limited, though fairly experienced with Clearpass, so I'm trying to learn more about this design.

 

You referenced a custom Authentication Method to point to the OSCP, was that required? Do you have any references that helped with this design? The authorization side of things with respect to Intune is working correctly, but now we're looking at the EAP-TLS authentication to Intune CA. I had previously assumed we only use Intune for Authorization, but apparently we use it for Authentication as well?.

OCSP is used for real time certificate status checks. Your client certificates should have an OCSP URL embedded so the EAP-TLS method will be configured to require OCSP.

I’m not sure I understand your question.

Ah, I haven't played with the OSCP Authentication method with EAP-TLS. I will do some more research. Really I'm just trying to track down more documentation so I can familiarize myself further with these concepts as they relate to Intune and Clearpass, as the current white papers and design guides that I've found don't address this specific deployment scenario.

 

Thanks!

OCSP is not unique to Intune or ClearPass. Do your certs have the OCSP URL in them?