Security

I am attempting to setup clearpass for onboarding users with certs.  I got it all working but ran into a slight issue I am not sure how to solve.   I have onboard setup to provision the cert to both user and machine.  When the user is logged (as user@domain)  everything works fine.  But when the user logs out the machine sends auth as host/user@domain the authenticatiion fails with an alert of EAP-TLS user unknown.  

 

So I think my question is how to get cert based machine auth working, if I can.   Can I take the request in the format of host/user@domain and autenticate it based on a cert that was onboarded? The issue sees to be that the host/ is not striped and is being used as the username.  I am not super familar with machine auth and have never done it with onboard and certs.

 

Ideally I would like to support both machine and user auth using certs as long as I can do both auths via the onboard cert database.  I assume since I have the machine cert I would not have to use ad in order to do the auth?

These are domain joined Windows machines?

For this discussion let's say no. For the user side we do authenticate via AD but we do not have the hooks in place to check machine status. I was hoping that since we have the machine cert in clearpass onboard we could avoid having to do the machine lookup in AD.

So if they're not, then why are you trying to use machine authentication? Machine auth is a domain join only feature.

 

Is the certificate in the user's name or the machine's name?

Any resolution on this?  Having the same issue.

 

thanks