Community Home > Discuss > Technology > Security > Re: Authentication source for EAp-TLS

Security

Reply
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Authentication source for EAp-TLS

‎05-06-2019 06:22 AM

How are you issuing certificates?  Manually or using domain autoenrollment?  If you are using autoenrollment, they never expire, and that is why admins use authorization to check to see if the device/user is disabled in AD.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 11 of 18
450 Views
Reply
0 Kudos
cppmadmin
Occasional Contributor II
cppmadmin

Re: Authentication source for EAp-TLS

‎05-06-2019 06:25 AM

Yes we are using auto enrollment . So in this case OCSP is not needed i guess ?

Alert a Moderator
Message 12 of 18
449 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Authentication source for EAp-TLS

‎05-06-2019 06:27 AM

Please work with your Aruba partner.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 13 of 18
444 Views
Reply
0 Kudos
Highlighted
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Authentication source for EAp-TLS

‎05-06-2019 06:30 AM

If you are not manually revoking certificates, OCSP will just always say that the certificate is Valid.  The CA is separate from AD.  If you revoke certificates, use OCSP, because that is the most up to date way to determine if a cert is valid or not.  If you disable users, you should use authorization.  If you are using machine certificates, you would have to disable the machine account in AD for this to work properly.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 14 of 18
443 Views
Reply
0 Kudos
cppmadmin
Occasional Contributor II
cppmadmin

Re: Authentication source for EAp-TLS

‎05-06-2019 06:51 AM

Thanks Joseph . I got the flow now . Many thanks for your explanations . 

 

We are usig auto enrollment for machine certificates on all the client machines . 

 

At bare minimum , if there is only root CA on CPPM and no OCSP and authorisation enabled on EAP-TLS auth method , 

still the last question 

 

Does clear pass ignore whether the cert is valid or not ? if no , what exactly CPPM checks when request ( client certificate auth request) comes from Client Machine .  

 

If yes , then authorization and OCSP come into picture ?

Alert a Moderator
Message 15 of 18
429 Views
Reply
0 Kudos
cppmadmin
Occasional Contributor II
cppmadmin

Re: Authentication source for EAp-TLS

‎05-07-2019 06:02 AM

Hi joseph , waiting for your response for my query.

If OCSP is not enabled , and there is no authorization enabled.

 

provided Clearpass has the root CA certificate in trust store .

 

what clearpass will check while doing EAP-TLS request from client ? does it only check whether the certificate is from trusted source and it wont check the validity of certificate ?

Alert a Moderator
Message 16 of 18
395 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cjoseph

Re: Authentication source for EAp-TLS

‎05-07-2019 06:06 AM

If OCSP is not enabled, or if your CA does not support that, ClearPass cannot tell if a certificate is revoked. (this has nothing to do with authorization).

 

If everything is unchecked the the EAP-TLS authentication method, ClearPass will only check to make sure that it has the CA in its trusted store and that the certificate is not expired.

 

If you enable OCSP and your CA supports it, ClearPass can check to see if the certificate is revoked.

 

If you enable authorization ClearPass can check to see if the username on the certificate is still enabled in AD before allowing access.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Alert a Moderator
Message 17 of 18
393 Views
Reply
cppmadmin
Occasional Contributor II
cppmadmin

Re: Authentication source for EAp-TLS

‎05-07-2019 06:10 AM

Thank you much for clarity . Glad to have people like you who always support . thanks a lot .

Alert a Moderator
Message 18 of 18
390 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium