Security

Reply
Guru Elite

Re: Authentication source for EAp-TLS

How are you issuing certificates?  Manually or using domain autoenrollment?  If you are using autoenrollment, they never expire, and that is why admins use authorization to check to see if the device/user is disabled in AD.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Authentication source for EAp-TLS

Yes we are using auto enrollment . So in this case OCSP is not needed i guess ?

Guru Elite

Re: Authentication source for EAp-TLS

Please work with your Aruba partner.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Authentication source for EAp-TLS

If you are not manually revoking certificates, OCSP will just always say that the certificate is Valid.  The CA is separate from AD.  If you revoke certificates, use OCSP, because that is the most up to date way to determine if a cert is valid or not.  If you disable users, you should use authorization.  If you are using machine certificates, you would have to disable the machine account in AD for this to work properly.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Authentication source for EAp-TLS

Thanks Joseph . I got the flow now . Many thanks for your explanations . 

 

We are usig auto enrollment for machine certificates on all the client machines . 

 

At bare minimum , if there is only root CA on CPPM and no OCSP and authorisation enabled on EAP-TLS auth method , 

still the last question 

 

Does clear pass ignore whether the cert is valid or not ? if no , what exactly CPPM checks when request ( client certificate auth request) comes from Client Machine .  

 

If yes , then authorization and OCSP come into picture ?

Occasional Contributor II

Re: Authentication source for EAp-TLS

Hi joseph , waiting for your response for my query.

If OCSP is not enabled , and there is no authorization enabled.

 

provided Clearpass has the root CA certificate in trust store .

 

what clearpass will check while doing EAP-TLS request from client ? does it only check whether the certificate is from trusted source and it wont check the validity of certificate ?

Guru Elite

Re: Authentication source for EAp-TLS

If OCSP is not enabled, or if your CA does not support that, ClearPass cannot tell if a certificate is revoked. (this has nothing to do with authorization).

 

If everything is unchecked the the EAP-TLS authentication method, ClearPass will only check to make sure that it has the CA in its trusted store and that the certificate is not expired.

 

If you enable OCSP and your CA supports it, ClearPass can check to see if the certificate is revoked.

 

If you enable authorization ClearPass can check to see if the username on the certificate is still enabled in AD before allowing access.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: Authentication source for EAp-TLS

Thank you much for clarity . Glad to have people like you who always support . thanks a lot .

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: