Security

Reply
Guru Elite

Re: Authentication source for EAp-TLS

How are you issuing certificates?  Manually or using domain autoenrollment?  If you are using autoenrollment, they never expire, and that is why admins use authorization to check to see if the device/user is disabled in AD.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Frequent Contributor I

Re: Authentication source for EAp-TLS

Yes we are using auto enrollment . So in this case OCSP is not needed i guess ?

Guru Elite

Re: Authentication source for EAp-TLS

Please work with your Aruba partner.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Authentication source for EAp-TLS

If you are not manually revoking certificates, OCSP will just always say that the certificate is Valid.  The CA is separate from AD.  If you revoke certificates, use OCSP, because that is the most up to date way to determine if a cert is valid or not.  If you disable users, you should use authorization.  If you are using machine certificates, you would have to disable the machine account in AD for this to work properly.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Frequent Contributor I

Re: Authentication source for EAp-TLS

Thanks Joseph . I got the flow now . Many thanks for your explanations . 

 

We are usig auto enrollment for machine certificates on all the client machines . 

 

At bare minimum , if there is only root CA on CPPM and no OCSP and authorisation enabled on EAP-TLS auth method , 

still the last question 

 

Does clear pass ignore whether the cert is valid or not ? if no , what exactly CPPM checks when request ( client certificate auth request) comes from Client Machine .  

 

If yes , then authorization and OCSP come into picture ?

Frequent Contributor I

Re: Authentication source for EAp-TLS

Hi joseph , waiting for your response for my query.

If OCSP is not enabled , and there is no authorization enabled.

 

provided Clearpass has the root CA certificate in trust store .

 

what clearpass will check while doing EAP-TLS request from client ? does it only check whether the certificate is from trusted source and it wont check the validity of certificate ?

Highlighted
Guru Elite

Re: Authentication source for EAp-TLS

If OCSP is not enabled, or if your CA does not support that, ClearPass cannot tell if a certificate is revoked. (this has nothing to do with authorization).

 

If everything is unchecked the the EAP-TLS authentication method, ClearPass will only check to make sure that it has the CA in its trusted store and that the certificate is not expired.

 

If you enable OCSP and your CA supports it, ClearPass can check to see if the certificate is revoked.

 

If you enable authorization ClearPass can check to see if the username on the certificate is still enabled in AD before allowing access.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Frequent Contributor I

Re: Authentication source for EAp-TLS

Thank you much for clarity . Glad to have people like you who always support . thanks a lot .

Occasional Contributor II

Re: Authentication source for EAp-TLS


@cjoseph wrote:

@cppmadmin wrote:

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 


At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  To provide additional security, you could add your AD as an LDAP authentication source in ClearPass and enable Authorization in your EAP-TLS authentication method to check that the username on the certificate is still valid in AD.  That would stop devices/users whose accounts have been disabled in AD from connecting.  As was mentioned before, if your CA is configured with OCSP, you can also enable that in the EAP-TLS authentication method, so that certificates revoked in your CA would also not be able to authenticate in ClearPass.

 

Again, you have quite a few options with EAP-TLS, but at minimum ClearPass only has to have the CA certificate that issued your client certificates in its trusted list to work.


@cjoseph - can you post a screen shot of just Certificate validation in the service. What needs to be checked there.

 

Also - Thanks I think this is going to solve a problem I have.

Guru Elite

Re: Authentication source for EAp-TLS

I don't do certificate validation, so I don't have a screenshot.  If you import the CA certificate into ClearPass's trust list and enable it, that is all you need:

 

"At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  "


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: