Security

Reply
New Contributor

Clearpass interrogating client certificate

I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

 

Looking for conceptual advice and specific direction on using this option.

 

TYIA

Guru Elite

Re: Clearpass interrogating client certificate

- Upload the root CA to ClearPass

- Create a service using the EAP-TLS method

- Configure the supplicant to use machine authentication with EAP-TLS


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Clearpass interrogating client certificate


cappalli wrote:

- Upload the root CA to ClearPass

 

So is this just adding my PKI server in Administration - Certificates - Trust List?

 

- Create a service using the EAP-TLS method

 

I have a 1X service that is working. It does have EAP TLS as an Authentication Method:

 

EAP-TLS.JPG

 

 

- Configure the supplicant to use machine authentication with EAP-TLS


 

Guru Elite

Re: Clearpass interrogating client certificate


Jayke757 wrote:

I have been looking for advice on how to have Clearpass look for an existing certificate on a Windows 7 client as part of .1x authentication. I am successfully using AD group membership to allow SSO into our corporate SSID, but we also have a Workstation Authentication cert that all of our laptops get via self enrollment when they are added to the domain. I would like to verifiy this certificate exists.

 

Looking for conceptual advice and specific direction on using this option.

 

TYIA


If you are trying to do username/password authentication for users (EAP-PEAP) and certificate (EAP-TLS) for computers, you cannot do that combination.  That is a limitation of the Windows Supplicant.  Both authentication needs to be EAP-PEAP or EAP-TLS.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
New Contributor

Re: Clearpass interrogating client certificate

As I have been researching this today. I came across this document:

 

http://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/9125/1/ClearPass-Win7-PEAP-TLS-v1.0-20140114.pdf

 

and it looked like what you are describing since I could choose CHAP or Certificate on the Win7 side.

 

What is best practice then, if I would like to verify machine and user?

Guru Elite

Re: Clearpass interrogating client certificate

I'd recommend doing user and computer using PEAP controlled by GPO. 

Sent from Nine

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: