Security

I am trying to figure out how to do machine authentication via clearpass and am wondering if Clearpass is able to issue machine certificates for machine authentication?

I'm not 100% sure if the CPPM can issue machine certs, but I don't think that it can.

But you can do machine authentication without an individual cert. for the machine.

I wasn't holding out much hope that Clearpass could issue certs. But I image this is the only secure way of guaranteeing machine auth, is another secure method?

I can't 100% comment on the security level as I am still learning about machine and user auth. using 802.1.

But what we did was install the CPPM certificate onto our test machine. Then we setup an auth. source to search for our computer accounts in the LDAP and the machines were able to authenticate. The role that the machines receive is extremely restrictive, only giving access to DNS/DHCP, netbios, etc. As well in order to be able to authenticate as a machine the machine needs to be apart of our domain. We are also exploring the possibility of adding an attribute to the machines LDAP account to search for so that only machines that have been approved and have this unique attribute will be able to authenticatie.

It isn't perfect, but we didn't want to get into generating certs. for each individual machine.

Our customer requires machine certs for each machine which can be pushed from AD group policy. It would have been nice if clearpass could have done this via onboarding but I guess you cant have everything. Thanks.

Since your customer is AD, couldn't you setup an IAS server? I believe this is what is used in the Microsoft world to generate certs for the machines.

Yes, I do agree it would be nice if the ClearPass could do this. Perhaps that functioanlity might come later. I think though there might be some limitations based on the access the server would have within the AD domain? I could be wrong about that of course.

The issue is not with the issuing of certs but with authenticating machines with certificates. How can Clearpass verify certificates?

Oh I see I see, my apologies!

I think I had read in a pdf about machine authentication using certs. with Aruba.

I will see if I can track it down.

---

@matt Finnie wrote:

The issue is not with the issuing of certs but with authenticating machines with certificates. How can Clearpass verify certificates?

---

Matt,

To authenticate Machine Certs issued from Active Directory CPPM would only need:

- A server certificate that is trusted by the clients (ideally it would be issued by the AD enterprise CA)

-The CA cert that issued the Machine Certs installed in ClearPass' Trusted Certificate Authorities Store

- A Service with the Authentication Method of EAP-TLS

- (Optional) Clearpass added to AD so that it can do authorization of the username on the certificate VIA LDAP/AD

- (Optional) an OCSP URL so that ClearPass can check for certificate Revocation.