Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba VIA ClearPass integration EAP-TLS

This thread has been viewed 2 times

  • 1.  Aruba VIA ClearPass integration EAP-TLS

    Posted May 27, 2019 10:35 AM
      |   view attached

    Hello Everyone!

     

    I am trying to make a full ClearPass, ArubaOS8.4 and Aruba VIA integration. I have included a picture of the concept.

     

    The main idea is to have a 802.1x Wi-Fi with EAP-TLS authentication. Users get their certificates by onboarding with Clearpass. They would also use these certificates for VPN through VIA.

     

    We want to have location aware VPN. So when we are in reach of corporate Wi-Fi, clients authenticate to Wi-fi with EAP-TLS, and when they are in public, VIA connects with EAP-TLS. We also want to pass all authentication functions to Clearpass.

     

    When I enable IKE v2 with EAP-TLS, then I run into a problem, that I can see the access tracker coming in to Clearpass with PAP for the connection profile download. Then VIA asks me which certificate I want to use. Then when I select it, it gives me an authentication failed and I cannot see any access tracker on Clearpass.

     

    Is there a VRD for this scenario? We want a full certificate based Aruba configuration.

     

    Thank you in advance!

     

    Daniel



  • 2.  RE: Aruba VIA ClearPass integration EAP-TLS

    EMPLOYEE
    Posted May 27, 2019 11:38 AM

    Please check out the post here: https://community.arubanetworks.com/t5/Aruba-Apps/EAP-TLS-for-VIA/td-p/64190 for some tips and for the URL of the origina VIA VRD

     

    The "location aware" aspect is managed in  "via servers" portion of

    the VIA connection profile.  The VIA client will see if it can connect to the internal_IP first and if it cannot, it will attempt to connect to "addr" URL:

    Screenshot 2019-05-27 at 10.35.39.png



  • 3.  RE: Aruba VIA ClearPass integration EAP-TLS

    Posted May 28, 2019 02:48 AM

    Hello Cjoseph!

     

    I have no problem with configuring location awareness.

     

    I got the whole setup working like I wanted to, but with username/password authentication. But when I enable IKEv2 so that I could use certs, VIA askes me which certificate I want to use, then just goes around trying to authenticate, then gives me an error code of 8949. I can only see the user on controller, but there is no access tracker on ClearPass.

     

    I already tried enabling EAP-TLS passthrough in Services-> VPN->IKEv2, but still cannot see the request going through to ClearPass, just when I try to download the profile. The moment I take out the tick from "Enable IKEv2" in VIA Connection profile, I can see the access tracker accept for profile download, then after a few seconds, the access tracker accept for VPN establishment.

     

    I have user cert un client with public and private key and I have Trusted CA installed on controller. But I beleave, I should still see the request going through to ClearPass regardless of certificates.

     

    I checked the VRD, but didn't find anything that could help me. Correct me if I am wrong, but I should be seeing 2 access tracker messages in CleaPass. 1 for PAP to download VIA profile, and 1 for EAP-TLS for VPN establishment.

     

    Br.

    Daniel