Security

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 

Auth source needs to be set to the AD. By default ClearPass will check if the account exists in the auth source.

For certificate checking you need to use OCSP and/or CRL. Root/Intermediate CA needs to be added in the trust list.

Hi ,

 

Thanks , I was also thinking the same way but i was not sure . So we have to define AD .

 

When you say OSCP /CRL , where do i need to set it ? I mean how CPPM will validate the machine certificate ?

OCSP is set in the authentication method. Best way is to include the OCSP URL in the client certificate.
In the auth method in ClearPass set Verify certificate to Required. If you want CRL fallback (I will advise you to do that) set it to Required(CRL fallback)
Leave Override OCSP URL from Client unchecked.

The CRL could be configured in Administration > Certificates > Revocation lists

Thanks a lot .

So steps are :

1)Download the root CA certificate on CPPM ( we have 1 Publisher, 1 standby Publisher and 2 subscriber ) - so root CA to be in Trust store of all the CPPM ?

Also do i need to sign the CPPM local certificate with Organization root CA ? 

 

2) Integrate AD server with CPPM. 

3) enable verifiy Certificate with OSCP ( Required Fallback)

4) Configure client certificate with OSCP url 

 

Do you a workflow or related document for the same ?

 

Also what if OSCP server does not exist and only root CA and subordinate CA exists

After the certificates are trusted on boths side (client and clearpass) the computername is authenticated against the Active Directory.

hi MKK  thanks a lot 

 

still a doubt.  if we enable authorization and OCSP on EAP-TLS auth method

 

This means clearpass sends the query to OCSP server on behalf of client ? the question is how clearpass validate the certificate . I got the point that cppm validates machine name but how the certificate will be validated by CPPM

cppmadmin,

 

At minimum, ClearPass will authenticate any EAP-TLS certificate whose CA certificate is its trusted list.

You can add additional checks like AD authorization and OCSP.  In OCSP, ClearPass will send a request to the CA with the certificate's serial number to determine if it is revoked.  Authorization and OCSP are optional.  If you don't have people revoking EAP-TLS certificates in your network, don't bother with OCSP.  If you have admins that revoke user and computer certificates when employees are dismissed, AD authorization is the way to go.

Hi Joseph,

 

I got the point . my ultimate project goal is

 

if client machine certificate is invalid , CPPM should deny the access

 

so if i dont use OCSP and authorization , if client certificate is expired , does CPPM allow it ? or if certificate is invalid /corrupted does CPPM allow it ? i know that depends upon the enforcement policy . But  if OCSP and authroization is not used , CPPM should still be able to say allow 9 valid cert) and Deny ( for invalid cert) ?

How are you issuing certificates?  Manually or using domain autoenrollment?  If you are using autoenrollment, they never expire, and that is why admins use authorization to check to see if the device/user is disabled in AD.

Yes we are using auto enrollment . So in this case OCSP is not needed i guess ?

Please work with your Aruba partner.

If you are not manually revoking certificates, OCSP will just always say that the certificate is Valid.  The CA is separate from AD.  If you revoke certificates, use OCSP, because that is the most up to date way to determine if a cert is valid or not.  If you disable users, you should use authorization.  If you are using machine certificates, you would have to disable the machine account in AD for this to work properly.

Thanks Joseph . I got the flow now . Many thanks for your explanations . 

 

We are usig auto enrollment for machine certificates on all the client machines . 

 

At bare minimum , if there is only root CA on CPPM and no OCSP and authorisation enabled on EAP-TLS auth method , 

still the last question 

 

Does clear pass ignore whether the cert is valid or not ? if no , what exactly CPPM checks when request ( client certificate auth request) comes from Client Machine .  

 

If yes , then authorization and OCSP come into picture ?

Hi joseph , waiting for your response for my query.

If OCSP is not enabled , and there is no authorization enabled.

 

provided Clearpass has the root CA certificate in trust store .

 

what clearpass will check while doing EAP-TLS request from client ? does it only check whether the certificate is from trusted source and it wont check the validity of certificate ?

If OCSP is not enabled, or if your CA does not support that, ClearPass cannot tell if a certificate is revoked. (this has nothing to do with authorization).

 

If everything is unchecked the the EAP-TLS authentication method, ClearPass will only check to make sure that it has the CA in its trusted store and that the certificate is not expired.

 

If you enable OCSP and your CA supports it, ClearPass can check to see if the certificate is revoked.

 

If you enable authorization ClearPass can check to see if the username on the certificate is still enabled in AD before allowing access.

 

 

Thank you much for clarity . Glad to have people like you who always support . thanks a lot .

---

@cppmadmin wrote:

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 

---

At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  To provide additional security, you could add your AD as an LDAP authentication source in ClearPass and enable Authorization in your EAP-TLS authentication method to check that the username on the certificate is still valid in AD.  That would stop devices/users whose accounts have been disabled in AD from connecting.  As was mentioned before, if your CA is configured with OCSP, you can also enable that in the EAP-TLS authentication method, so that certificates revoked in your CA would also not be able to authenticate in ClearPass.

 

Again, you have quite a few options with EAP-TLS, but at minimum ClearPass only has to have the CA certificate that issued your client certificates in its trusted list to work.

---

@cjoseph wrote:

---

@cppmadmin wrote:

Hello,

 

I have a query related to EAP-TLS ( machine certificate based auth)

On clear pass , what do  we need to define as auth source ?

 

is it the Root CA server , subordinate CA server or AD server ?

 

Does Clearpass query everytime to CA server to validate the cert of client machine ?  

 

or do we need to copy the Root CA cert on CPPM as a Trust List ?

 

I want to know how clearpass validate the client machine certificate ( i doubt if it checkes everytime with CA )

 

What is the best pratice to define Auth source for EAP-TLS . In our environment , AD server and CA server are separate 

---

At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  To provide additional security, you could add your AD as an LDAP authentication source in ClearPass and enable Authorization in your EAP-TLS authentication method to check that the username on the certificate is still valid in AD.  That would stop devices/users whose accounts have been disabled in AD from connecting.  As was mentioned before, if your CA is configured with OCSP, you can also enable that in the EAP-TLS authentication method, so that certificates revoked in your CA would also not be able to authenticate in ClearPass.

 

Again, you have quite a few options with EAP-TLS, but at minimum ClearPass only has to have the CA certificate that issued your client certificates in its trusted list to work.

---

@cjoseph - can you post a screen shot of just Certificate validation in the service. What needs to be checked there.

 

Also - Thanks I think this is going to solve a problem I have.

I don't do certificate validation, so I don't have a screenshot.  If you import the CA certificate into ClearPass's trust list and enable it, that is all you need:

 

"At the bare minimum, you would only have to have the CA Certificate Imported into the ClearPass Trusted CA list to allow EAP-TLS clients to authenticate to ClearPass.  You would duplicate the EAP-TLS authentication method and uncheck everything to allow this.  "