Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Double authent when 802.1X + Onguard

This thread has been viewed 1 times

  • 1.  Double authent when 802.1X + Onguard

    Posted Sep 08, 2017 09:22 AM

    Hi all, and thank you for all the help that you already provide by answering other post on this forum.

     

    I have a specifi question about the 802.1X + Onguard double authent. I think the solution will not come for the aruba (clearpass nor controller) side but more by the windows side (exclusively windows). So, it's more a "have you already been facing this or do you think there is a way to avoid it?" ^^

     

    We are implementing it for my customer but we have a problem with the double Authent that occurs. All seems to work perfectly right, but maybe a little too much, let me precise :

     

    - This SSID is for internal network. No guest or captive portal mendatory.

    - We use onguard for posture checking (persistent). Last version, with windows.

    - 802.1X authentication with EAP-TLS. (All CSR and certificate already signed an all.). with SMARTCARD that push the certificate to the windows.

    - We are using controller 7210 and CPPM 6.6.7.

    - Since we are using the BRIDGE MODE only, we can't do CoA. (Bridge mode is mandatory).

     

    Let me explain : 

    - The programme that push the certificate from the SMARTCARD to the computer is asking for a PIN/Password everytime we access to it.

    - But with our authentication system, we first go through the 802.1X service, so it ask for the PIN/password one time, then we go to the WEBAuth service and the posture Token updates, then a bounce client happens (no CoA posible since we are in bridge mode) and we go another time in the 802.1X service process so we go again through the 802.1X service, and it asks for the PIN/Password a second time.

     

    This is very bothering because in there actual system it ask juste one time. (Because in there actual posture system there is just OK => you stay, NOT OK => Your are bounced. So, no need for CoA or re-authentication like now..)

     

    Some people already had this? 

    Sure I can cache - from the windows network checkbox - the credentials, but it seems there is no posible way to configure the cache timer. When I tried it, the time seems to be unlimited. I want to have it juste for like 30 seconds the time onguard does the posture check and re-authenticate. (if not anybody can take your computer and smartcard and connect later...)

     

    Thank you in advance if you have any idea. I hope I made it clear.