Security

Hi there

 

New to the forums and very new to Clearpass so please bare with me for a moment. Hoping i'm able to get lead to the right direction.

 

At the moment i'm trying to set up EAP-TLS wired in a lab environment before implementing it in our production environment. I've setup a DC as a CA with autoenrolment for computer certificates. Have joined CP to the domain and imported a subordinate CA certificate as well. Next part i'm confused is how to get Clearpass to authenticate the computer using EAP-TLS using a Cisco 2960x switch as the NAD.

 

After selecting authentication method as EAP-TLS (Common name) what would be the authentication source be? The DC?

What role and enforcement are meant to be configured? The 802.1x wired wizard doesn't really help much and there isn't much information or examples on the web to fully understand the configuration of things.

 

Any help would be greatly appreciated i've also engage my Aruba sales rep but he is currently on vacation so i thought i'd post here for some help.

If the certs are from ADCS, you would use AD as the auth source. The enforcement profiles are what you're returning to the switch. So a VLAN or dACL in the case of a Cisco switch.

Indeed, use AD if your certificates are AD provisioned (or Onboard provisioned based on an AD account), as that allows you to do the 'Authorization Required' and 'Certificate Comparison' check that can be configured in the EAP-TLS authentication method for ClearPass.

 

In the (rare) case that you got your certificates from a different source which has no relation to AD, you can pick any authentication source. The local user DB is the easy choice. You are correct that EAP-TLS requires an authentication source being configured, but unless you do the 'Authorization' or 'Comparison', the configure database will not be used during the authentication.

 

If you do Authorization, the username used during authentication must be configured in one of the Service's Authentication Sources.