Security

Reply
Frequent Contributor I

Clearpass TLS config required.

Hi community. I'm trying to connect devices to a SSID using EAP-TLS.

 

This is what I did:

 

1.Create a CSR on Clearpass.

2. Request a web-server certificate on my ADCS.

3. Import the certificate to the trust list on ClearPass.

3. Import the certificate to the radius server certificate.

4. Create a wireless service with tls authentication and AD as Auth source.

5. On the client I configured the 802.1X profile as follow:

Sin título.png

Then when I try to connect the client says "Unable to connect to this network".

 

I'm new with EAP-TLS so I don't if I'm doing something wrong. Currently I'm using EAP-PEAP but we want to increase our security.

 

Thank you so much in advance.

Guru Elite

Re: Clearpass TLS config required.

What does your service look like on the authentication tab?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
mkk
Contributor II

Re: Clearpass TLS config required.

Be sure you have a GPO policy to auto enroll both "computer" and "user" certificates to your endpoints.

 

Please make some screenshots of your service.

  

Knipsel2.JPG

Guru Elite

Re: Clearpass TLS config required.

If these are shared computers, PEAPv0/EAP-MSCHAPv2 is recommended with Computer + User.

You will have challenges with EAP-TLS with Computer + User on shared devices.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
mkk
Contributor II

Re: Clearpass TLS config required.

He add the local CA-cert to his client, so it isnt expose as a byod device in this case.

 

PEAPv0/EAP-MSCHAPv2 isnt really secure for BYOD devices. Yes you can tweak this down but an end user can always change this settings and not all operatingsystems handle it in the same way.

 

Some good information here...

https://community.arubanetworks.com/t5/Technology-Blog/How-secure-is-your-EAP-PEAPv0-deployment/ba-p/216683

 

For BYOD you can still use EAP-TLS by using CP Onboarding, but this is licenced feature.

Frequent Contributor I

Re: Clearpass TLS config required.

Thank you all.

 

This is how my authentication tab looks like:

tls.PNG

I think the problem is with the user certificate, at this moment I'm not sure where and how can I generate it, I guess using ADCS?

 

At this moment these are single user computers.

mkk
Contributor II

Re: Clearpass TLS config required.

Yes you need a ADCS and enroll both computer and user certificate to the clients.

 

After ADCS is setup correctly the CA-cert is most likely automatic installed on the client when join the AD.

 

Most likely you will use GPO policy to auto enroll the certificates to the clients and configure the interface for 802.1x. But that is a little more configuration.

Frequent Contributor I

Re: Clearpass TLS config required.

Ok marcelkoedijk, I will ask to the AD administrator to configure the ADCS service to enroll the certificates to the clients and then try again. 

 

Thank you for your help.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: