Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass policy that validates two separate certificates

This thread has been viewed 0 times

  • 1.  Clearpass policy that validates two separate certificates

    Posted Dec 02, 2019 02:20 PM

    I currently have a policy in place that validates one certificate for providing authentication. My boss wants us to have a policy that authenticates the USER then authenticates the Device. He wants both to be authenticated by our AD, but he wants the information to come from two different certificates. Can this be done? I'm not sure how I'd chain two authentication profiles. 



  • 2.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 02, 2019 02:27 PM
    What type of device ?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 02, 2019 02:29 PM

    The environment shakes like this: We have a Clearpass server, two 7030 controllers, a mobility master and about 20 APs. The only devices we'd want to authenticate will either be lenovo laptops or dell towers. No mobile devices.



  • 4.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 02, 2019 02:43 PM
    Are those part of the domain ? If so it is possible
    But need to make sure the wireless/wired profiles are configured to do computer or user authentication (those settings can be pushed via a group policy)



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 02, 2019 02:45 PM

    Yes, all devices will be domain joined. We do not want non-domain devices on our network. As for the wired and wireless policy, we already set them up for user and computer authentication.

     

    A better question is this: How do I set up clearpass to test one policy, then the other? 



  • 6.  RE: Clearpass policy that validates two separate certificates
    Best Answer

    Posted Dec 02, 2019 03:38 PM
    You can use the tips role =[ machine authenticated] and apply a different profile or use a different service just for the machine auth and add the condition authentication > full-username > begins with > host/ and assign a different policy / profile





    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 7.  RE: Clearpass policy that validates two separate certificates

    MVP EXPERT
    Posted Dec 02, 2019 04:25 PM

    Please note that the computer certificated can be automatic enrolled through a GPO policy but the user certificate is enrolled after the user logged in once. This require that the AD is reachable with only computer authenication to make (new) user certificate enrollment posible, or just connect once to an open interface.

     

    When you have some computers that are shared between different users this can have some challenge. Thats why i'am personally choose for computer authentication only in most cases.

     

    I look forward to see your test results!



  • 8.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 03, 2019 11:57 AM

    I just have a few more questions. My understanding is that [machine authenticated] is just an endpoint that the clearpass server has seen before. Can I configure it to do an AD lookup and confirm that the host is still active in the domain? 



  • 9.  RE: Clearpass policy that validates two separate certificates

    Posted Dec 03, 2019 01:30 PM
    The [machine authenticated] is assigned when a domain device has successfully authenticated

    ClearPass caches the machine authenticated information which allows you to use it when the user logs in



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile