Security

I realize that issuing a cert from our Windows2008 CA,and manually importing it on a device circumvents nearly every feature of ClearPass, and probably makes more work for us in the long-run, but here's what we think we want to do:

 

• Issue a machine cert from our Windows CA
• Import that cert onto a wireless device (WindowsCE and WindowsEmbedded devices mostly) which is not a member of the Windows Domain.
• Use that cert to authenticate the device to our EAP-TLS SSID

Right now the EAP-TLS is working correctly to authenticate Windows Domain member laptops.

On a deeper look, I see that the cert is being used to encrypt the Windows Domain machine name.

 

I'd really like to get ClearPass to grant a connection to any device bearing a valid certificate.

How do I (or can I) stop ClearPass from trying to verify user/password or machine-name?

 

Am I barking up the wrong tree?

Can you verify your EAP-TLS configuration settings under Configuration --> Authentication --> Methods.   Depending on the version of CPPM, you may have multiple EAP-TLS configurations defined.   Check which one you have used in your service and check to see if the "Certificate Comparison" option is selected or not and also the Authorization Required check box (uncheck it).

 

 

Also, please confirm that the certificate you are importing into your WindowsCE devices contains the private key, and not just the public key and that the CPPM server has the Windows CA certificate imported as a trusted root CA.

 

 

Thanks, you were right, and I'd already done those steps, just hadn't removed the domain-controller from the Authentication sources list. now the only thing it can test is the cert.

Hey Matthew,

 

I have the same issue.

 

I don't know what to use as authentication source. I can't leave the field blank.

 

Have you got any hints for me?

 

Thanks in advance.

 

Best regards,

 

Marcel 

Guys,

 

As I understand this. You want to retain your exisitng MSFT CA PKI.... why not let CPPM issue client certs from ADCS..... we can interoperate, so you can onboard through CPPM but use the exisitng PKI CA.In short we generate a CSR and fire that to ADCS, get the cert and send it to the client.

 

This is fully documented in one of our technote availble from the support site.

 

ADCS with ClearPass Onboard v1.1.pdf

 

 

Hey Danny,

 

thanks for your answer.

 

Unfortunately, this is not an option. Because the certificates will be automatically issued to IGEL ThinClients. The certs are still on the devices, but with no AD-Account.

 

However, my goal is to give any device Access to a specific SSID with a valid (not revoked) certificate.

 

Have you got any further ideas for the authentication source?

 

Best regards,

 

Marcel

 

----

History

- corrected some typing mistakes.

 

Ok. I was a fool.

 

I had forgotten, that I must untick "Authorization Required" in the "Authentication Method".

 

Grrrr....

 

Thanks to very one who was involved.

Hi Gentlemen,

 

I m facing kind of same issue. I m bit new to Aruba.  I got Aruba controller as well as Clearpass server to do the same TLS authentication colloborated with MAC Authentication.  My CA will be clearpass server it self.  Is there any guidance I can refer how to achive this done without onboarding.

1. Generate Cert and import to the client

2. Clearpass service should only do TLS and MAC auth and send enforcement to WLC

3. WLC will assign allowed profile with correct VLAN.

 

currently we are running 802.1x , onboarding for another SSID. I dont want to use same SSID for this requirement.  Please advice

 

thanks in Advance

Kind regards

Chaamas

If you're CA is ClearPass, you'll be doing Onboarding. 

Thanks Tim. I would like to know without going to onboarding process, will I be able to import the cert into client and directly go to clearpass provision service? how should I configure the service for that? this client will not have username and password.

 

for MAC check, I can use static host list in enforcement policy.

 

thank you in advance

Kind regards

Chaamas

Yes, you can generate certificates from ClearPass and manually install them but this is still an Onboard license. 

Chaamas,

 

Did you already read the Certificates 101 Technote?  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

 

Extra question:  Why would you use mac authentication with EAP-TLS authentication?

 

 

Colin,

 

I barely read the document previously. I will read it thoroughly.  My company needs to restrict clients using MAC as my superiors instructions. I have seen your reply in another thread that TLS will be enough.  I will try to convince my superiors using your answer.

 

Is there any guide that I can refer to configure TLS only service ? Im bit new with Clearpass. Apologies if Im asking dumb questions. :)

 

Kind regards

Chaamas

Do you have an Aruba partner? You should have a design session with them or your Aruba SE to come up with a comprehensive solution. 

Well, what are you and your superiors trying to do?  You don't need ClearPass to do EAP-TLS, really..

Colin,

I will clear my answer :)

I need to do only EAP-TLS auth only.  My CA will be Clearpass server it self. Currently I got  onboarding service for SSID TEST1. I need to connecct my new devices to SSID TEST2 without onboarding, but using TLS.

Im not that much aware about which cert should I export from clearpass and given to clients as well as how to configure the service only for TLS in clearpass server/Auba controller AAA profiles.

I will continue reading about solutions. 

Thank you

Kind reagrds

Chaamas

 

If you do not use on boarding, you need to issue certificates from the clearpass CA GUI...

Hi Colin,

I got 4 clearpass servers in cluster. Would you please let me know which certificate you meant? I'm not much sure about do I have to create CSR and sign by CPPM, and then upload the Public key to mobile client?

 

thank you

Kind regards

Chaamas