Colin,
I was just suggesting if disabling the verification check for EAP-TLS is secure in regards to whether or not the cert is actually being checked. I understand that a certificate checks against AD for u/p credentials, but I'm simply looking for a way to validate that a client has the cert I want installed on their computer, and that that cert also exists on ClearPass, and is verified and trusted. Minus the EAP-TLS modification, I was attempting to do that today, but I didn't see the options within ClearPass while I was building out the CPPM roles that would allow me to check even if a cert was verified.
Since this client wants two-factor auth, they're just wanting to validate whether or not a client cert is valid, but not check against AD. Using the EAP-TLS modification, it seems as though CPPM will in fact check to see if the cert is on the client's machine, but it won't check AD. That's good. When I asked if it was secure or not, I was just remarking that now CPPM is the "trusted" root, of sorts. In summation, I just want the client to believe that CPPM has the root cert, and I don't want CPPM to have to do an LDAP query to AD to verify anything. The client's AD (quite a complicated setup actually, but I can't actually give anything away about it, unfortunately) shouldn't be queried if a client cert is being validated. So, something like simply having CPPM verify that the Issuer DN is the same, or some other validation of that nature, would suffice. Or maybe something else that just compares some info in the root CA on CPPM against some info on the client cert, and verifies that they match. Something like that. I tried doing that today with just the Issuer DN, but it failed because it still needed to reach out to AD, and the client doesn't want that.
The complete auth chain goes something like this:
1. CPPM and the client verify each other's common certs using EAP-TLS.
2. The client is then placed into a captive portal and authenticates against an additional database.
3. The client is then granted full access to the network.
Hopefully that clears up a few things. I'm sorry that I can't share more, but I'm not willing to give up anything else about the client. Judging from your responses, I detect that you might be a little frustrated at the lack of information that I'm presenting and then expecting a clear and concise response, but I'm not really looking for that so don't sweat it.
As far as the security professional is concerned, I'm basically that guy. I've got all of the controller and CPPM logic licked and am about 80% there, it's just that these requirements are a little stringent and don't really conform to any standard that I'm aware of.
Anyway, thanks for reading the wall. If you've got anything else that I might be able to learn from, I'd appreciate it. Thanks!