Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

This thread has been viewed 1 times

  • 1.  Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

    Posted Apr 06, 2016 11:47 AM

    Hey, everyone!

     

    I have a working service in Clearpass, that authorizes Guest Operators against a generic ldap. In the dev environment we were able to connect via a password. In order to move to the production environment, we need to install a cert provided our PKI, and use StartTLS with the ldap directory.

     

    Where do I install that cert? I thought it might be the RADIUS server certificate, but the install fails with the error that the cert I'm importing is not appropriate for use with Web Servers. It is true that my cert does not have the extended usage 'TLS Web Server Authentication', but that's not what the RADIUS server is doing anyway??

     

    What am I doing wrong here? Where should my cert be installed?



  • 2.  RE: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

    EMPLOYEE
    Posted Apr 06, 2016 11:59 AM

    Are you trying to authenticate to an LDAP server over port 686?  The LDAP server must have a server certificate and the ClearPass server must have the CA certificate for the server cert that was issued to the LDAP server imported into Administration> Certificates> Trust List.

     

    If that is not what you mean, please let us know...



  • 3.  RE: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

    Posted Apr 12, 2016 03:26 PM

    I'm sorry it has taken me so long to respond to this. Thank you again for taking the time.

     

    The issue is that I have been given both a 'server' certificate to identify the LDAP directory to Clearpass and a 'client' certificate that will identify Clearpass to the LDAP server. Encryption and authentication both ways without the need for passwords.

     

    I can't replace the RADIUS server cert, because the cert from ldap only has the 'client' usage. Even if i did replace the RADIUS cert, I could only do that once, and therefor could only do client auth to one such data store at a time. While the directory admins have allowed, in very few cases, password binds for applications that don't support client based auth, those passwords are all stored as sha-12 hashes (which Clearpass does not currently support).

     

    I need to find out if there IS some way to implement a client cert for StartTLS, and if not, get some sense of which feature (client based auth for LDAP or sha-512 for passwords) is more likely to be pursued should I make the request.



  • 4.  RE: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

    Posted Jan 07, 2020 03:29 PM

    Hi Mark,

     

    Were you ever able to figure out a way to do this?

     

    Thanks,

     

    _ELiasz