Security

I created a self signed certificate and signing chain to test EAP-TLS authentication, and it's working great.

I'm curious, though, about the authentication source.

I have to pick something, so if I select Endpoint Repository, the user can authenticate properly (user name on the certificate is not present in Endpoint repository).

However, if I select an AD authentication source, authentication fails. (user name also not present in AD).

 

This seems like inconsistent behavior. Any reason why Clearpass checks for the user in AD, but not in the Endpoint Repository?

Thanks.

 

Do you want to validate whether a user exists or just accept the certificate?

I'm just trying to accept the certificate.

OK, then create a new EAP-TLS method with authorization disabled.

Ah, OK. That did the trick.

I think I was thrown off by the nomenclature used.

When using the default [EAP-TLS] Authentication method, the failed access tracker entries Alert tab says,

"EAP-TLS: Authentication failure, unknown user."

I'm guessing this is really more of an authorization failure?

Either way, the new EAP-TLS with no authorization method works fine.

Thanks.

 

EAP-TLS has a "sub" authorization phase that's part of authentication. By default (the [EAP-TLS] method), we attempt to lookup the user in the authentication source as part of EAP-TLS authorization.

What if i want to validate whether a user exists in AD not only checking certificate ? 

Then leave authorization enabled.

If the default EAP-TLS method choosed, with AD as Auth source, then access tracker is showing user (user@company.x) not found.

Actually, the main target is to authentiate users by AD certificate instead of username and password.

Make sure your auth source is using the UPN. It defaults so sAMAccountName.