Security

Hi all,

I need to do the following,

1. AD as authentication source.

2. Clearpass as Certificate authority.

So user has to have one valid AD account and a root CA from clearpass, 

Is it possible ?

I also suggested the same to customer but for some unknown reason their management want this.

So they want to do user authentication from AD but want to use Clearpass as CA server.

Again,

Please find out what the purpose of the CA would be in their environment.  ClearPass as a CA would be mainly to issue EAP-TLS certificates to clients for onboard.  It can issue EAP-TLS certificates outside of onboard, but it would have to be manual.  If your customer wanted EAP-TLS certificates, it is much easier for the customer's AD to turn on autoenrollement in group policy to distribute those certificates automatically.

Again, what is the purpose of the CA in your customer's environment?

Colin,

Thanks for you ruick response,

When it comes to certificate I'm novice.

Let me tell you what customer asked me.

1. machine authentication - agsinst ad.

2. user authentiaction - against ad.

For each time there will be one cetificate authentication also and that is against Clearpass.

Thet are saying that they will push the CPPM root ca to each machine so that user can perform the cert authentication.

perpose in the sense they want to secure auth method for their previledge employee.

They already have CA but for wireless some unknow reason they dont wantto use that.

If they want to do certificate-based authentication, you will have to push at least 3 certificates to each machine.

1 Root CA certificate

1 Machine certificate

At least 1 user certificate

So if they push cert A to user A in mac A.

user B cannot complete autheitcation on that machine until or unless user B manually isntalling the cert B to that machine .

right ??

PEAP (username and password authentication) at minimum only requires that the client trusts the CA of the Radius Server.  If you use AD to configure your CA and to issue the server cert to your Radius Server, this happens automatically with all clients that have joined the domain.

EAP-TLS (machine or user certificate authentication) at minimum requires the client trust the CA of the radius server, and also that a user or machine certificate be issued.  If you enable autoenrollment in AD, both of these things happen automatically with domain clients.

The CA in ClearPass is mainly useful to distribute EAP-TLS certificates to clients using onboard, which is requires a client to access a webpage to distribute a certificate.  It is targeted at non-domain devices, that do not automatically trust the CA, Server cert and would not be able to easily get a client certificate.

If your client falls into scenario #1 or #2, it is best they use the domain for the CA, because it is easier to setup and maintain.

Hi Colin,

Thanks for your help.

Today I was trying to implemented EAP-TLS for client and getting following error:

Is it required to install root CA in clearpass also.

Yes.  You need to install the CA certificate in Administration> Certificates> Trust List.

ohh..

I thought clearpass is simply passing the request, so there is no need to imports certs in trust list.

I was wrong.

But when we are doing the same with Controller that time no root certs is required for controller.

why ?

Controller = NAS

Controller <> Radius Server

Client----------NAS-----------Radius Server

I have added AD and certificate server root ca in trust list of Clearpass.

After that I installed root ca of Cleatpass and AD server in user also.

Now user are able to authenticate and for some machine, machien auth is also working but not sure why for some machine its still showing unknown CA.

If the Radius Server (ClearPass) does not have a Trust List of CA certificates, what is it checking the user EAP-TLS certificate against?