Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x without a user certificate

This thread has been viewed 46 times

  • 1.  802.1x without a user certificate

    Posted Apr 17, 2020 01:51 AM

    Hello!

     

    We have a setup of ClearPass Policy Manager, Aruba switch as NAS, and Windows PC as supplicant.

     

    We have a Wired 802.1x setup using EAP-TLS and it uses both computer and user authentication.

     

    Now, everything works perfectly for current users but not for new users.

     

    I think it is because for new users, we have implemented a kind of auto enroll/BYOD, meaning if user logs in for the first time, it doesnt have a user certificate yet, until logon process is complete.

     

    It does have machine cert though and machine auth works perfectly.

     

    So:

    1. User turns on PC, gets profiled correctly, via machine auth using its machine cert

    2. User logs in, and for some reason, when we check packet cap, it receives an eap identity request from switch, but PC doesnt respond.

    3. it gets, as failover, mac auth, and gets put into a guest vlan

     

    My questions are:

    1. is the reason it doesnt respond because it doesnt have any user certificate to give? (PC has network authentication method set to certificate)

    2. should i just switch to network authentication that doesnt require a certificate and use username/password instead, then use maybe EAP PEAP as clearpass service?

     

    also appreciate any other solution you can suggest. quite new to clearpass

     

    Thanks in advance!



  • 2.  RE: 802.1x without a user certificate

    MVP
    Posted Apr 17, 2020 02:31 AM

    Hi,

     

    You can check these videos from Herman.

     

    https://www.youtube.com/watch?v=mifjqsYjt-k&list=PLsYGHuNuBZcb0xD05v9zdwv7NlUG_8oJS&index=26

     

    You might find what you are looking for on here and on the other videos on this channel.



  • 3.  RE: 802.1x without a user certificate
    Best Answer

    EMPLOYEE
    Posted Apr 17, 2020 03:51 AM

    The most secure solution is to switch to computer-only authentication. It's a known 'chicken-egg problem' with user certificate for users that have not signed in before. What you could do (on wired only) is on an authentication failure to provide limited access so the user certificate can be retrieved.

     

    On the longer term, the TEAP method may be a solution as it allows different authentication for computer and user, but it requires the upcoming May 2020 Windows 10 upgrade.

     

    I would avoid PEAP whenever possible as it is considered cracked and deprecated by Microsoft and others. The only situation where I would even consider PEAP is when you have full control over all of your clients and can enforce the server certificate validation to prevent man-in-the-middle attacks to your credentials.

     

    The pragmatic solution would be as mentioned first to do computer-only authentication with EAP-TLS.



  • 4.  RE: 802.1x without a user certificate

    Posted Apr 17, 2020 07:47 PM
    Thanks for the reply! If we do computer auth only, will we still be able to
    profile based on AD user details?


  • 5.  RE: 802.1x without a user certificate

    EMPLOYEE
    Posted Apr 20, 2020 05:08 AM

    So that information might be a challenge as only the computer authenticates.

     

    If you have a lot of non-cached users, then using computer authentication is probably the best option at the moment till the point that alternatives like TEAP will be available.

     

    There are solutions based on OnGuard that adds the user authentication once the L2 has been authenticated as computer. But in many cases having the user authentication is a nice-to-have or just a thought. Most domain computers end up in the same access in practice, and if there are a fey exceptions, those computers are many times tied to a specific person so you could create the exception based on the computer as well. If you can't do that and having the user information is critical, the combination of 802.1X for the computer and OnGuard user authentication is probably the way to go.



  • 6.  RE: 802.1x without a user certificate

    Posted May 17, 2021 06:29 PM
    Hello Herman,

    First, thank you for your videos, they are very helpful. I know this is a dated thread, but it directly applies to what I am trying to accomplish. When you say "limited access to the user certificate can be retrieved." Can you elaborate on what you mean by this? Do you grant access to a domain controller to join the domain and get the cert via GPO, or do you use a different technique? Could a Captive Portal be leveraged here?

    ------------------------------
    Douglas Ullman
    ------------------------------

    Original Message


  • 7.  RE: 802.1x without a user certificate

    EMPLOYEE
    Posted May 18, 2021 03:44 AM
    With 'limited access to the user' (wired), I mean that you can allow just enough access to your domain controllers, certificate servers, and other relevant (DNS, DHCP, etc) services for the user to retrieve a certificate from the CA. That would allow when only a computer certificate is present that the user can still log in to the network and get all the credentials.

    So, yes allow/grant access to the domain controller (and relevant services). You can use a captive portal, but that might make it more complex. Please discuss your situation with your Aruba partner or local Aruba SE as there may be relevant context missing at this point.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 8.  RE: 802.1x without a user certificate

    Posted May 18, 2021 09:21 AM
    Regarding the OnGuard option - Configure the PC to just use Machine Authentication. In stall the OnGuard Persistent Agent.

    OnGuard Settings:

    OnGuard's Global Agent Settings:

    Set the "Enable to use Windows Single Sign On"=true 
    Also the "Run OnGuard As"=BothServiceAndAgent

    As the the OnGuard service:

    The host:ActiveUserName seems to have changed between 6.8(?) and 6.9. I used to have to use the condition: 
         Host:ActiveUserName BEGINS_WITH HPEARUBADEMO



    When the device connects to the wireless:

    In theory you could add a PortAuth profile that could use RESTful API to inject into another device (eg firewall), but I could not get this to work :-(

    NOTE running OnGuard in Authentication Only does NOT consume an OnGuard license.


    ------------------------------
    Derin Mellor
    ------------------------------

    Original Message


  • 9.  RE: 802.1x without a user certificate

    Posted Jun 17, 2021 10:18 AM
    Hi, if I only use the machine certificate, can I make OnGuard CoA reauth works?


    User gets to the windows login - Machine Cert is used
    User login - No cert is used
    Onguard agent run, change posture token, clearpass send CoA asking for a reauth
    At this point, the computer can use the machine cert for this reauth?

    ------------------------------
    Bruno Andrade - ACMP, ACSP, ACCP, CWNA, CCNA R&S, RCNA, ICX, SPSX
    ------------------------------

    Original Message


  • 10.  RE: 802.1x without a user certificate

    EMPLOYEE
    Posted Jun 17, 2021 10:34 AM
    If you use 'computer authentication only', the Machine cert will be used all of the time:

    User gets to the windows login - Machine Cert is used
    User login - No cert is used Nothing changes in the authentication, the existing Machine Authentication is kept.
    Onguard agent run, change posture token, clearpass send CoA asking for a reauth
    At this point, the computer reauthenticates with the computer certificate; and posture status/token will be cached if you enable that in your enforcement, as the client is configured for computer-only authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: 802.1x without a user certificate

    Posted Jun 17, 2021 10:40 AM
    Really thanks Herman!

    ------------------------------
    Bruno Andrade - ACMP, ACSP, ACCP, CWNA, CCNA R&S, RCNA, ICX, SPSX
    ------------------------------

    Original Message