Security

Hi All

I'm trying to work around the situation where a Clearpass onboarded certificate has become revoked or has expired.  Is there anyway of creating a role which forces onboarded devices with a revoked or expired certificate to a reprovision page?

I've read the following which describes sending emails to the user for the x number of weeks leading up to certificate expiry which is something we will implement however the customer has some departmental devices with a generic accounts so the end user does not get the notification email.  

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/td-p/93548/highlight/true

Also some devices hide in drawers for weeks on end and the certificate gets revoked through inactivity.  We're reluctant to increase the inactivity period as this will have an impact on the Onboard licensing count.

I had created a test enforcement policy whereby if the outer authentication method was TLS and the auth status failed to return a pre-provisioning profile.  I can see the Radius Response in the Access Tracker returning this role though I suspect that as the Login Status is REJECT this is preventing this from being sent to the controller.

Is the only alternative, when dealing with Apple smart devices, to manually delete the profiles and  reprovision?

Many thanks

Mark

When a certificate is revoked or expired, it results in an access reject message.   Even if we were able to write policy based on the error code to return a role to the controller, we can't change the access reject message, so the role application would not apply.

As an alternative you could try and re-enroll devices at some interval prior to expiration to try and catch them before they expire.   See

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/td-p/93548

 for some thoughts on this.

Just to add: This is a limitation of 802.1X. Authentication can either pass or fail. If authentication fails, that is the end of the road.

You could apply a rule using the Time calculator as an Authorization source

You could send an Enforcement profile with a user-role that will redirect the user to the portal to re-onboard the device

Hi All

Many thanks for replying so quickly, the speed of the response on here is always impressive.

Will the time rule work when the cert has expired or has been revoked or will the Reject take precedence?  I've not been able to get this to work.

Thanks

Mark

No, once it is expired or revoked it will result in a failed authentication.  The time source solution and the solutions in the link above are to pre-empt the expiration.

Many thanks for confirming Chris.  Much appreciated.

Hi All

Apologies for revisting this, but is there anything else I need to add  to the above enforcement policy to get it to work?  We're using 6.5.2 so am I rright in assuming Time Source has replaced Time Calculator?  Do I need to modify any of the Time Source attributres?

I've tried both Cert Epiry as a Role and an Enforcement Policy but CPPM ignores it despite have Certificate:Not-Valid-After set

I've configured the following enforcement:

Below's the role Tips Role:

Both appear to get ignored. I can't see what I'm doing wrong.

Any help would be greatly appreciated. 

Thanks

Mark