Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass TLS config required.

This thread has been viewed 10 times

  • 1.  Clearpass TLS config required.

    Posted May 11, 2018 04:14 PM

    Hi community. I'm trying to connect devices to a SSID using EAP-TLS.

     

    This is what I did:

     

    1.Create a CSR on Clearpass.

    2. Request a web-server certificate on my ADCS.

    3. Import the certificate to the trust list on ClearPass.

    3. Import the certificate to the radius server certificate.

    4. Create a wireless service with tls authentication and AD as Auth source.

    5. On the client I configured the 802.1X profile as follow:

    Sin título.png

    Then when I try to connect the client says "Unable to connect to this network".

     

    I'm new with EAP-TLS so I don't if I'm doing something wrong. Currently I'm using EAP-PEAP but we want to increase our security.

     

    Thank you so much in advance.



  • 2.  RE: Clearpass TLS config required.

    EMPLOYEE
    Posted May 11, 2018 10:44 PM

    What does your service look like on the authentication tab?



  • 3.  RE: Clearpass TLS config required.

    MVP EXPERT
    Posted May 13, 2018 01:04 PM

    Be sure you have a GPO policy to auto enroll both "computer" and "user" certificates to your endpoints.

     

    Please make some screenshots of your service.

      

    Knipsel2.JPG



  • 4.  RE: Clearpass TLS config required.

    EMPLOYEE
    Posted May 13, 2018 01:07 PM
    If these are shared computers, PEAPv0/EAP-MSCHAPv2 is recommended with Computer + User.

    You will have challenges with EAP-TLS with Computer + User on shared devices.


  • 5.  RE: Clearpass TLS config required.

    MVP EXPERT
    Posted May 13, 2018 01:55 PM

    He add the local CA-cert to his client, so it isnt expose as a byod device in this case.

     

    PEAPv0/EAP-MSCHAPv2 isnt really secure for BYOD devices. Yes you can tweak this down but an end user can always change this settings and not all operatingsystems handle it in the same way.

     

    Some good information here...

    https://community.arubanetworks.com/t5/Technology-Blog/How-secure-is-your-EAP-PEAPv0-deployment/ba-p/216683

     

    For BYOD you can still use EAP-TLS by using CP Onboarding, but this is licenced feature.



  • 6.  RE: Clearpass TLS config required.

    Posted May 14, 2018 10:52 AM

    Thank you all.

     

    This is how my authentication tab looks like:

    tls.PNG

    I think the problem is with the user certificate, at this moment I'm not sure where and how can I generate it, I guess using ADCS?

     

    At this moment these are single user computers.



  • 7.  RE: Clearpass TLS config required.
    Best Answer

    MVP EXPERT
    Posted May 14, 2018 05:17 PM

    Yes you need a ADCS and enroll both computer and user certificate to the clients.

     

    After ADCS is setup correctly the CA-cert is most likely automatic installed on the client when join the AD.

     

    Most likely you will use GPO policy to auto enroll the certificates to the clients and configure the interface for 802.1x. But that is a little more configuration.



  • 8.  RE: Clearpass TLS config required.

    Posted May 14, 2018 06:22 PM

    Ok marcelkoedijk, I will ask to the AD administrator to configure the ADCS service to enroll the certificates to the clients and then try again. 

     

    Thank you for your help.