Security

im looking at EAP TLS authentication and don't quite get the options in the configuration. basically ClearPass just passes the request on the the AD behind it which returns an OK or not OK?

 

why can you then set "Certificate Comparison" and what do the different options mean? with "Do not compare" is the certificate actually checked by the AD at all? and what if i select "Compare Common Name (CN)", who is comparing it then?

Hello,

 

I am having the same problem with the EAP TLS authentication dialog box as 'boneyard' wrote back in July of 2012.

 

Its purely a problem of understanding the options presented in the EAP TLS authentication method dialog box. The CPPM online help isn't very helpful, either.

 

My basic question is about the options in the 'Method Details' part of the dialog box (see attached screenshot).

 

If I select 'Compare CN or SAN' for instance, against what is the client certificate being checked? Is it being checked against the certificates in the 'Trust List' that are enabled?

 

Thanks for your help!

 

cheers,

Harald

Please see page 107 of the ClearPass Policy Manager user guide here:  http://support.arubanetworks.com/DesktopModules/Bring2mind/DMX/Download.aspx?TabId=77&DMXModule=512&Command=Core_Download&EntryId=10426&PortalId=0

 

 

Thanks for the reply!

 

The information on page 107 is the same as in the CPPM on-line help.

 

Still, I am not sure what to make of it. Maybe its a language problem or a lack of understanding on my side.

 

If I choose 'Compare CN or SAN' - does CPPM compare the client certificate against information stored in Active Directory? Or does CPPM compare the client certificate against its own internal Trust List?

 

cheers,

Harald

All,

 

I was asked about this a little while ago and came up with a kludgy way to get around this with an Active Directory backend. The first set of commands are applied as a new filter under the Active Directory server itself. Here's how to pull it off:

 

1. Go to Configuration > Authentication > Sources > "Your AD Server"

2. Click on the "Attributes" tab

3. Click on "Add More Filters"

4. Click on the "Configuration" tab

5. Under "Filter Name" enter something relevant for you. I'm going to call it ToP-Test

6. Under "Filter Query" enter the following:

 

(&(userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountType=805306368))

 

7. Under "Name" enter the following: sAMAccountName

8. Under "Alias Name" enter the following: DisabledAccount

9. Under "Data Type" select "String"

10. Under "Enabled As" check the "Attribute" box

 

The second step is to make a change to the role or enforcement setting and add the following:

 

AND Authorization:<Your AD Server> DisabledAccount  NOT_CONTAINS  %{Radius:IETF:User-Name}

 

The above line will do a search for the username in the newly defined "DisabledAccount" field. Note you may have to clear the cache on the AD server after making these changes.

 

You'll now see under Access Tracker > "OnBoarding Connection" > Request Details > Input - that there's a new field that references the "DisabledAccount" with all of the disabled accounts from your AD server. The role or enforcement setting will compare the disabled accounts on your AD box with the username that you send. This allows you to still do a certificate EAP-TLS connection and also verify whether the account has been disabled in AD.

 

Let me know what you think - thanks!

 

-Mike

 

 

Thank you for the info Mike.

There will be support coming for clearpass to natively check for account status "active or disable" instead of having to add userAccountControl.

Hi,

We are doing authentication againts the guest user database as they are company devices with guests using them.  Onboarding the TLS certificates allows for easy management of these devices.

 

The problem I have is that Account expiry and Account status (Active or disabled) does not have any effect on the authentcation of the TLS certificate.  I have tried looking for these fields so I could do an enforcement policy and/or Role mapping but I cannot see them. 

 

Am I missing something?  At the moment, I am getting the users to set the User Role to "Disabled" and this works. Ideally I would like accounts to expire automatically and cause the authentication to drop off.

Are you looking at the AD for expiration or the age of the certificate?

Not looking at AD at all, this is a guest user database.

You will need to make sure in your authz in your service you have a query to check for account status.

If you use the guest Mac authentication service template it will create the source query automatically.

Add that source to your authz

In you enforcement add a post auth check for expiration. It should look a lot like the guest .1x service that was created using the template.

Hi Troy,

 

I wanted to follow up on this post to see if there are additional checks in CPPM 6.3 if an AD account is active or disabled?

 

Thanks!

 

-Mike

Yes when you auth with TLS to cppm will check to also see if the account is still valid. Even though you are using a cert the username is still embedded in the cert.

 

Its been awhile since I have tested it. In older versions you would have to manually configure it but I believe in later versions of 6.2 it is built in. 

Hi Troy,

 

I have a customer install of 6.2.5 and I'm not able to get it to work. I've disabled the acocunt in AD, cleared the AD source cache, and it's still able to log in.

 

I'll play around with it over the next few days. I've also asked a TAC engineer to take a look, so we'll see. I'll post an answer on here if / when I find something.

 

-Mike

So there are two parts here.

 

Account Acctive or account disabled.

 

For account active:

 

 “accountExpires”,  Two paths —>

Troy,

 

Awesome! It took me a little bit to figure out since this isn't an area that I often touch. I'm going to put your information together with my post from a few months back. I'm writing up the below so I don't forget:

 

Here's the full steps to pull it off:

 

Go to Configuration > Authentication > Sources > "Your AD Server"

 

1. Click on the "Attributes" tab

2. Click on "Add More Filters"

3. Click on the "Configuration" tab

4. Under "Filter Name" enter something relevant for you. I'm going to call it ToP-Test2

5. Under "Filter Query" enter the following:

 

(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

6. Under "Name" enter the following: sAMAccountName

7. Under "Alias Name" enter the following: ToP-ActiveAccount

8. Under "Data Type" select "String"

9. Under "Enabled As" check the "Attribute" box

 

Go to the Wireless 802.1X service under Configuration > Services > "Your 802.1X wireless service" 

 

1. Go to Roles > Modify the Role Mapping for this service

2. Go to Mapping Rules > Click on "Add Rule"

      i. Type = Authorization:AD

      ii. Name = ToP-ActiveAccount

      iii. Operator = NOT_EXISTS

      iv. Role Name = "Deny All"

      v. Click "Save"

3. Go to Enforcement > Modify the Enforcement Policy

4. Go to Rules > Click on "Add Rule"

      i. Type = Tips

      ii. Name = Role

      iii. Operator = EQUALS

      iv. Value = Deny All

      v. Enforcement Profiles > Profiles Name > [RADIUS] [ Deny Access Profile ] 

      vi. Click "Save"

5. Move this Enforcement profile to the top of the list and click "Save" in the bottom right-hand corner

 

To verify that it is working, go to Access Tracker > Input > Authorization Attributes. Active AD accounts should appear as the sAMAaccount username to the right of something similar to "Authorization:Windows-2012:ToP-ActiveAccount." A disabled account in AD will not be present.

Hi,

     I did the same configuration except not using role mapping policy. I directly use account status to decide which enforcement policy to apply. However, user was able to get connected even the account disabled. I checked the access tracker and found out that there was nothing for input tab> authorization attribute except authorization:userDN = "".  I did enabled authorization for the service and put AD as additional source of authorization. Please advise.