Security

Reply
Occasional Contributor II

Authentication source for EAp-TLS

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 

Super Contributor II

Re: Authentication source for EAp-TLS

Auth source needs to be set to the AD. By default ClearPass will check if the account exists in the auth source.

For certificate checking you need to use OCSP and/or CRL. Root/Intermediate CA needs to be added in the trust list.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: Authentication source for EAp-TLS

Hi ,

 

Thanks , I was also thinking the same way but i was not sure . So we have to define AD .

 

When you say OSCP /CRL , where do i need to set it ? I mean how CPPM will validate the machine certificate ?

Super Contributor II

Re: Authentication source for EAp-TLS

OCSP is set in the authentication method. Best way is to include the OCSP URL in the client certificate.
In the auth method in ClearPass set Verify certificate to Required. If you want CRL fallback (I will advise you to do that) set it to Required(CRL fallback)
Leave Override OCSP URL from Client unchecked.

The CRL could be configured in Administration > Certificates > Revocation lists

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: Authentication source for EAp-TLS

Thanks a lot .

So steps are :

1)Download the root CA certificate on CPPM ( we have 1 Publisher, 1 standby Publisher and 2 subscriber ) - so root CA to be in Trust store of all the CPPM ?

Also do i need to sign the CPPM local certificate with Organization root CA ? 

 

2) Integrate AD server with CPPM. 

3) enable verifiy Certificate with OSCP ( Required Fallback)

4) Configure client certificate with OSCP url 

 

Do you a workflow or related document for the same ?

 

Also what if OSCP server does not exist and only root CA and subordinate CA exists

Guru Elite

Re: Authentication source for EAp-TLS


@cppmadmin wrote:

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 


At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  To provide additional security, you could add your AD as an LDAP authentication source in ClearPass and enable Authorization in your EAP-TLS authentication method to check that the username on the certificate is still valid in AD.  That would stop devices/users whose accounts have been disabled in AD from connecting.  As was mentioned before, if your CA is configured with OCSP, you can also enable that in the EAP-TLS authentication method, so that certificates revoked in your CA would also not be able to authenticate in ClearPass.

 

Again, you have quite a few options with EAP-TLS, but at minimum ClearPass only has to have the CA certificate that issued your client certificates in its trusted list to work.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP
MVP

Re: Authentication source for EAp-TLS

After the certificates are trusted on boths side (client and clearpass) the computername is authenticated against the Active Directory.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Occasional Contributor II

Re: Authentication source for EAp-TLS

hi MKK  thanks a lot 

 

still a doubt.  if we enable authorization and OCSP on EAP-TLS auth method

 

This means clearpass sends the query to OCSP server on behalf of client ? the question is how clearpass validate the certificate . I got the point that cppm validates machine name but how the certificate will be validated by CPPM

Guru Elite

Re: Authentication source for EAp-TLS

cppmadmin,

 

At minimum, ClearPass will authenticate any EAP-TLS certificate whose CA certificate is its trusted list.

You can add additional checks like AD authorization and OCSP.  In OCSP, ClearPass will send a request to the CA with the certificate's serial number to determine if it is revoked.  Authorization and OCSP are optional.  If you don't have people revoking EAP-TLS certificates in your network, don't bother with OCSP.  If you have admins that revoke user and computer certificates when employees are dismissed, AD authorization is the way to go.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Occasional Contributor II

Re: Authentication source for EAp-TLS

Hi Joseph,

 

I got the point . my ultimate project goal is

 

if client machine certificate is invalid , CPPM should deny the access

 

so if i dont use OCSP and authorization , if client certificate is expired , does CPPM allow it ? or if certificate is invalid /corrupted does CPPM allow it ? i know that depends upon the enforcement policy . But  if OCSP and authroization is not used , CPPM should still be able to say allow 9 valid cert) and Deny ( for invalid cert) ?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: