Security

Hello,

 

I'm trying to get 802.1x Authentication using Active Directory setup before deploying to my users. 

 

Intended setup: User attempts to connect to the SSID, Based on their current AD login  if the account is a memberOf the correct group, allow them to connect to the SSID.

 

I'm not very knowledgable on certificates and could use assistance in understanding what I'm missing.

 

I have Clearpass added to the AD domain, and I have an https Cert setup from a trusted CA (GoDaddy), which is also in the trust list, as well as a radius cert from my AD, which is also in the trust list. Both have the full trust chain included.

 

I have a basic policy check, It is setup so that if a user is member of "testgroup", then use the "allow access profile". I ran policy simulation, and authentication is successful. However, I'm testing the connection to the SSID on a windows XP laptop (unsupported, but we still have some). I recieve an alerts "Windows was unable to find a certificate to log you on to the network XXXX"

 

Do I need to issue a cert to the client before it is able to connect to wireless? Or is a cert not needed on the client for the setup i'm intending.

 

If anything is unclear or more information is needed, please ask and I will do my best to clarify.

What type of EAP authentication you are using TLS or PEAP ?

I assume it is but is that Internal Root CA trusted on the wireless client ?

EAP TLS is the authentication we would like to go for, as I understand it will provide some extra security over PEAP, without delaying the user from accessing the ssid. 

 

The Internal Root CA (AD) is in the Truasted Root Cert Auths on the client.

 

Thank you,

So you can implement this using either ADCS/Group policy cert autoenrollment for AD user and Domain computer Or just cert auto enrollment for Domain computer

For either option you will need to configure a cert template in ADCS

https://technet.microsoft.com/en-us/library/dd379529(v=ws.10).aspx



Get Outlook for iOS

 

I'll be trying to implement this for ADCS/GP cert autoenrollment for AD User (and domain PC if mandatory to create this rule).

 

For the cet template, essentially, I would just add the group I created for SSID Access Policy to the already active Cert Template I have for domain authentication(Domain Controller authentication), and have that group enabled for autoenroll in its security? 

 

I believe I've gone through each of the steps listed, for GP and the CA, and verified my config. My client still is reciving the same error of being unable to find the cert. I've only been teaching myself about certs over the past 48 hours and how to configure them between CA, servers, and clients, so I could very well be missing something important, still rather new to this.

 

Thank you

 

I had a bit of a mismatch on PEAP vs TLS settings. I've opted to put everything onto TLS.

Now I'm able to connect, but only when Verify Server Certificate is disabled. I assume then that I will need to import the clearpass RADIUS cert into AD to have this verification work successfully?

 

Error message (edited domain and bind account):

 

Active Directory - name.domain.com:636: account@domain.com bind failed - Can't contact LDAP server
EAP-TLS: Authentication failure, unknown user

 

Edit* https://support.microsoft.com/en-ca/kb/321051 

As per the above support article, IIahevn't seen it mentioned anywhere previously while setting up clearpass, but seems to be related. Will I need to create a LDAPS certificate on my DC server (same as LDAP), and import that to Clearpass Trust List to allow TLS to occur with Verify Server Certificate? 

Have you tried just using plan 389, LDAP, instead of 636?  You would typically use 636 if the network between your ClearPass server and your LDAP server is not trusted.

@cjoseph I'm able to successfully authenticate if I don't have the "Verify Server Certificate" option enabled, so before I continue troubleshooting and changing ports to try to get this setting to work, I'd like to know what this option is actually doing for both PEAP and TLS.

 

Is it an important setting to have "verify server certificate" enabled for either authentication type, or something that can be left disabled?

 

Also, I've noticed when I'm authenticating against TLS my authentication fails on some accounts. The failing and successful accounts are located in the same location in the DC, and have same roles, The only different is the display name format (not account name). Is this something I need to address in the service I created for 802.1x under authentication "strip username rules"? I would have thought clearpass would just use the account name for all scenerios, not the display name.

Screenshot of where you are checking/unchecking Validate Server Certificate, please?

This is from my authentication source I created for our AD

You could do none and port 389 for security if the network between clearpass and your AD is trusted.  There is no functional need to use anything else if that is the case.

 

 That LDAP server is used to look up user accounts in AD before 802.1x is performed.  If you enable SSL and 636, you need to have the CA cert of the LDAP box imported into the ClearPass trusted authorities like TCapp said...

LDAP/DC are all the same box for us, under 1 cert, which has it's full trust chain imported into Clearpass trust list. I have SSL enabled, and 636. This works as expected. Once I checkmark Verify Server Certificate, then I will recieve the authentication issues.

 

So the only thing this setting does is a form of certificate hanshake, which means something done incorrectly with importing the cert to clearpass would cause it to fail? 

 

 

 

Correct.

Yes, the LDAP server certificate should be imported into the trust list.