Security

Reply
Highlighted
New Contributor

Clearpass Radius Server for user authentication in a AD domain

Domain :Education K-12

 

We have a set of 24 laptops which will be shared by students , currently the network is setup with Microsoft NPS server with radius authentication. We are trying to implement user authentication with Clearpass .

 

Steps taken

 

1)Created a separate ssids for students  and staff on the aruba central pointing to clearpass auth server.

2) Created a GPO to implement 802.1 via user authentication

3)Created User Roles in the central to direct the users to specific webservice in the clearpass (student-ws,staff-ws)

4) Created enforcement /profiles with clearpass to categorize devices to point to correct setup ( via aruba support)

 

Now the issues happens when staff logouts from the machine and when a student tries to login , he cant logon , its says no connection to the domain network .

While checking the access tracker , it shows that the machine(student) is trying to connect via the staff prfile and is rejected.

 

What i am trying to achieve is that , those machines are school owned , but when ever someone uses them i need to get the user-details .

 

I am not sure whether the WAP is giving the wrong role to the clearpass .

 

Right now , while checking the aruba central those ssids are not visible under WLAN setting also.

 

Just wondering whether someone has came across the issue

Highlighted
Guru Elite

Re: Clearpass Radius Server for user authentication in a AD domain

The client laptop needs to be configured for machine authentication, and ClearPass needs to be configured to process machine authentication (allow authentication from the AD Group Domain Machines).  If machine authentication is not configured, new users cannot login to the laptop wirelessly without using the wired connection.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
New Contributor

Re: Clearpass Radius Server for user authentication in a AD domain

Is there a way , were in which we can use first machine authentication and then user authentication. We need user details for audit purposes.

Highlighted
Guru Elite

Re: Clearpass Radius Server for user authentication in a AD domain

The client device (Windows) can be configured for machine and user authentication.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Moderator

Re: Clearpass Radius Server for user authentication in a AD domain

@itguru, to your request for machine AND user authentication;

 

This is best accomplished via TEAP. its a very recent 802.1X Windows 10 supplicant enhancement, it came out about 2 months back. we added the capability for TEAP to CPPM 6.9 as we worked directly with the M/Soft Windows development team on this feature, what your asking for is generally refereed to as EAP- chaining.

 

For example as part of the inner EAP authentication, you could initially perform EAP-TLS to use a machine cert to validate the device, then use EAP-TLS or EAP-MSCHAPv2 to validate the user.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
New Contributor

Re: Clearpass Radius Server for user authentication in a AD domain

Danny,

 

This is slightly off the subject, but I wanted to confirm that while TEAP is a mechanism allowing simultaneous chained authentications from a client device it still doesn't make MSCHAPv2 as secure as a certificate passing through the TLS tunnel.  In other words when using TEAP with MSCHAPv2 as an inner method we still have the same security concerns as EAP-PEAP?

Highlighted
Moderator

Re: Clearpass Radius Server for user authentication in a AD domain

So you can elect to use EAP-TLS for both the machine and user inner authN.

 

I was just providing an example, but the world today in enterprise land for 802.1X is still unfortunately predominantly using username/password for creds, the move to certs is happening but to slow for my liking.

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: