Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM, EAP-TLS, Computer+User

This thread has been viewed 12 times

  • 1.  CPPM, EAP-TLS, Computer+User

    Posted Jul 19, 2019 04:20 AM

    Been looking in to switching from EAP-PEAP to EAP-TLS, both for the computer and the user side.

    End goal is that the computer authenticates with a certificate and gains access to a limited role which gives access to a few things, like AD.

    When the user logs in to windows it fires a user authentication, with the users certificate, to gain the correct VLAN and role combination.

     

    I have gotten the computer and user certificate auto-enrollment set in GPO (Win 2016 server + Win10) along with intune certificate connector for the iPads rolled in via intune.

     

    The issue is that during logon to windows, the user will be granted access since the computer is machine authenticated with enough access to do an AD login.

    However during this process user authentication on the wifi is supposed to happen.

    Since the user haven't been logged in before there isn't a user certificate issued yet.

     

    So here I got a bit stuck.. An option would of course be to connect a LAN cable and do the first login that way.

    However we then can't have a new user logging in to the same machine without going trough the process of finding a LAN cable..

     

    Any thoughts?

     

     



  • 2.  RE: CPPM, EAP-TLS, Computer+User

    EMPLOYEE
    Posted Jul 19, 2019 05:52 AM

    This is probably the most asked question when switching from EAP-PEAP to EAP-TLS.

     

    What many organizations have settled on is EAP-TLS with computer-only authentication.  Why?  Because it mirrors exactly what happens when a wired computer is plugged in:

    - The computer authenticates via EAP-TLS.  At that time, at the ctrl-alt-delete screen, Windows and the Windows subsystem has full access to the network and it can be fully managed by authorized users on the network

    - A user comes along and logs in, but will only be able to access the computer and the network if they have valid credentials.

    - If a user's password changes, the computer has full access to the network to make that happen

    - If you want to disable a user's access to the network, the user will not be able to login to the machine

    - If you want to disable a machine's access to the network, you can disable to machine account.  You can also layer on checking the machine account name when aurhenticating via EAP-TLS, so that disabling the machine account disables access to the network for that machine.

     

    I have found that many admins try to give the computer limited access, then attempt to restore more full access when the user logs in, or breaks communications when they switch the vlan and it becomes an administrative nightmare.  Machine-Only Authentication via EAP-TLS is a sensible and straightforward way to make it work.

     

    Again, this is my experience, and not security advice.  It would be interesting to hear what others have done.



  • 3.  RE: CPPM, EAP-TLS, Computer+User

    Posted Jul 19, 2019 06:12 AM

    Yeah I often see the guides mention computer auth only.

     

    In an educational enviornment, AD might be populated from other systems based on position, student class etc.

    On top of that one machine might be used by a teacher which should have certain access, then a student in the 5th grade, then next time a student in the 8th grade where you have certain roles that deny access to resources during exam times as one of many examples.

     

    All this is easily done with EAP-PEAP, however I was hoping to have one auth method across all platforms.

    When iPads are rolled in via itune they get a certficate and thus using EAP-TLS (based on the itune user), would be nice to get the machines and users to do the same on Win10.

     

    EAP-TLS in a regular office setting I can see machine auth only, maybe use CPPM to give roles based on OUs.

     

    Looking forward to hear some thoughts here.



  • 4.  RE: CPPM, EAP-TLS, Computer+User

    EMPLOYEE
    Posted Jul 19, 2019 06:28 AM

    There are a few things that can be done, but I want to say we would have to know more about your setup for forum users to suggest things.  For example:

     

    Are the majority of your resources web-based and require users to login to them separately?  Do you require logins for web proxy access?  How do you manage access to resources now?



  • 5.  RE: CPPM, EAP-TLS, Computer+User

    Posted Jul 19, 2019 06:53 AM

    I'll go in to detail some, but I feel this would apply to several other setups.

    Setups where EAP-PEAP are working and doing its thing, but where endcustomer is asking for a higher level of security.

     

    Resources are a bit of this and bit of that really.

    Some are internal servers with web based and non-web based access.

    Some are cloud services (office365 etc)

    In this specific case there are a web proxy which we hope to integrate with clearpass as well.

     

    As a general point of view here, what I'm looking to do is role based access.

    If group or combinations of groups in AD (or intune attributes etc) equals something, then give "Tips role so-and-so".

    Based on this I return a role to the aruba controller which holds an ACL and VLAN.

    This role can be student class (1st to 10th grade), teacher or municipality employee in various positions (each with a different role).

    The role we hope to bring in to the web proxy as well.

     

    The endgoal being that CPPM is the master of roles, where the wireless controller, firewall and web proxy uses the "Tips role" to give and deny access to resources (IP, subnets, URLs or web category for example).

    In this specific case they do very little of these kind of things currently, but are very keen on implementing CPPM as the heart of the network.

     

    Doing all this with EAP-PEAP isn't straight forward, but we're talking about "if statements" with "if so then so" along with integrations to firewall and web-proxy (story of its own..).

     

    When it comes to the original topic I was hoping as part of the added security focus, to switch to EAP-TLS.

    However as mentioned, during the test process I see that the certificate request for the user happens too late in the process in a way.

    By that I mean that the machine authenticates fine as they where installed with LAN cable attached, so GPO is ran and machine requests a certificate which they authenticate fine with.

     

    User logs on to windows and during the logon process (aparently before requesting a user cert) windows re-auths to the wireless network, but can't since the user haven't requested/gotten a certificate yet.

    So solution here would have been an option to delay the user auth to the wireless network until a certificate has been downloaded with whatever role the machine auth gave, but I don't know of such option unfortunally.

     

    The no-go option is to connect a cable each time a new user needs to logon on to a PC...