Security

Hi,

i want to authenticate Thinclients and IP Phones, which are getting certificates automaticly via SCEP with EAP-TLS.  These devices have no Active Directory Object, and i only want to check the certificate, and get the certificate templatename attribute of the certificate. I want to use the certificatetemplate name for setting explicit vlan and acl for this devices. For example, if the clearpass gets a authenticationrequest with a certificate, which has "smartphone" in the templatname, it will get the smartphone - vlan. If it gets a request with "thinclient" it will get the thinclient vlan.

I`ve attached a screenshot of the clearpass rule editor.

My problem is, that i couldn`t find the certificate template name as attribute in the clearpass rule set.

Thanks a lot

Thanks for your fast answer..

So what could be a solution for this problem?

I have to roll out certificates automaticly via scep for different devices (MDM, IP Phones, Thinclient, Printers) with different rules...

What is best practice for example authenticating thinclients with certificate?

I have to check if there is a possiblity to set a attribute like "thinclient" in the SAN ? Am i right, it is possible to filter SAN for attributes? It is the same as it is in the onboarding process?

The CA is a windows - CA but with NDES / SCEP.

The managementsoftware of the thinclients sends a certificate request to the windows - ca and installs the certificate on the thinclient.

There is no Active-Directoryobjekt for the thin client..

Could it be a possibility to write of course "thinclient" in the OU field of the certificate and match this?

@Tim

What do you think, is it better to use the SAN, or OU Attribute of the certificate? SAN would be the same as the onboardingconfiguration..

I have to check the managementsoftware of the thinclients, which attributes are editable.. maybe it`s not possible to use the ou for all kind of devices (thinclients, printer, MDM)

Thanks

Why not use ClearPass profiling to identify if it's an IP Phone, Printer, Thin Client, etc. and validate the certificate information to ensure it's a Corporate-owned asset?

DHCP and IF-MAP can be setup fairly easily. SNMP/WMI/SSH profiling takes a little more work.

If device type = Unknown or NOT EXISTS, drop it in to a limited access VLAN which allows DHCP and that should be enough to fingerprint the device and then when it reauthenticates, it is known as it's correct type.

Thank you for the tipp with profiling..

The customer wants to do the main count of clients with EAP-TLS and has the possibilitys to send automaticly certificates to the device.

But i think i also could use profiling for devices which are not getting certificats..

Where could i find a config / best practiceguide for profiling?

Thanks

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjUi6rA1d_XAhVllFQKHZKgBNkQFggmMAA&url=https%3A%2F%2Fcommunity.arubanetworks.com%2Faruba%2Fattachments%2Faruba%2FForoenEspanol%2F653%2F1%2FClearPass%2520Profiling%2520TechNote.pdf&usg=AOvVaw282AdDLSI9NgMpTH-Nlssm