Security

Reply
Contributor II

EAP TLS with ADCS for machine auth

I've searched and searched and can't quite find a thread on here with the same symptoms. What I'd like to acheive is doing machine authentication with our Macs using a certificate assigned from our AD CA. I've got what I think is a very basic service configured, but the client keeps failing with "user not found". According to Access Tracker, it's not looking at AD as the authentication source even though it's specified. 

 

-Mac laptop (10.13.4) joined to AD

-It's getting the AD, ClearPass, and trusted CA certs via profile manager (I'm 99.9% sure this is all working as it should)

-AD CA cert installed in ClearPass trust list

-EAP TLS with authorization checkbox unchecked

-AD authentication source with default settings, working fine for EAP PEAP on production SSID

 

What am I missing?

 

Guru Elite

Re: EAP TLS with ADCS for machine auth

Remove the authentication source from your service.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: EAP TLS with ADCS for machine auth

Ok that works, but I had to change my role mapping rules. I had tried that, but my role mappings were based on AD attributes so it was still failing, just with a slightly different error message.

Guru Elite

Re: EAP TLS with ADCS for machine auth

Just to be clear, this service is only handling machine authentications, correct?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: EAP TLS with ADCS for machine auth

Yes it is, but this is only a test service. The plan would be to eventually add it to our production service which is now only doing EAP PEAP for user auth. I'm pretty sure I saw a config in an old thread for how to do that.

Guru Elite

Re: EAP TLS with ADCS for machine auth

It would be better to keep machine auth in its own service since authorization is not enabled.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: EAP TLS with ADCS for machine auth

Makes sense. Is there a way I can do that if it's using the same SSID?

Guru Elite

Re: EAP TLS with ADCS for machine auth

Yes, services are not tied to SSIDs.

Use service rules that check for:
Authentication:Full-Username BEGINS_WITH host/
Authentication:Full-Username ENDS_WITH .yourdomain.xyz

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: