Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

This thread has been viewed 3 times

  • 1.  Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    Posted Aug 31, 2017 04:35 AM

    Hello all!

    I have a question regarding how to configure Clearpass in the following scenario:

    1. A company has multiple login domain (f.ex xx.com, xx.org, xx.net)

    2. The company will authenticate all users with an anonymous@xx.com account, with a certificate binded to that user.

    3. The next step is to authenticat the "real" user with it's own credentials inside the established EAP tunnel, created by step 2.

     

    I have tried almost everything, but i can't get this to work:(

     

    Questions:

    How should the method be configured?

    How should the service be configured?

    And the last one, how do i configure f.ex an iPhone for this type of connection?

     

    BR

    Fredrik



  • 2.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    EMPLOYEE
    Posted Aug 31, 2017 07:25 AM

    Is this EAP-PEAP or EAP-TLS?

    Do you simply want to authenticate users for multiple domains?

    Did you try adding ClearPass to multiple domains?

     

     



  • 3.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    Posted Aug 31, 2017 07:31 AM

    Hi

     

    We are trying to use EAP-PEAP.

     

    Yes, the current company structure requires multiple "inside" user domains.

    And the correct domain has trusts to all other domains, but in this scenario we have to use a specifik domain name, for authentication externally using radius proxies.

     

    BR

    Fredrik E



  • 4.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    EMPLOYEE
    Posted Aug 31, 2017 07:36 AM

    So, you already have a radius proxy?  What are you trying to do in addition, then?

    You have Eduroam in the title of this post.  Where does that come in?



  • 5.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    Posted Aug 31, 2017 07:43 AM

    We do not have our own radius proxies, we have a connection (RX/TX) with Eduroam national proxies, here we have our "main" domain registred, all authentication request coming from a user with our domain end, are relayed to our Clearpass servers for authentication, work perfectly as long the user has an user account in that specifik domain.

    The problem is when a user is a part of the company but his home domain is another.

    Here we would like to use an outer identy that relays the request to our servers, and then the user specifies his "correct" credentials (inner identity).

     

    Hopes this make sense :)

     

    BR

    Fredrik



  • 6.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    EMPLOYEE
    Posted Aug 31, 2017 08:42 AM

    Create a standard 802.1X service that matches on that realm and uses the appropriate authentication source.

     

    Also, just to be clear, the certificate needs to be bound to the user. The anonymous outer identity is not a "user". You also later mentioned later in the thread that you're using PEAPv0/EAP-MSCHAPv2. Which is it?



  • 7.  RE: Eduroam - Using anonymous@xx.com for outer creation of EAP tunnel

    Posted Sep 12, 2017 05:46 AM

    The problem is how we should do this set up, we need to use an anonymous account for the eap tunnel(outer identity) and then we will use this EAP tunnel for authentication traffic, for the "real" identity.

     

    Sorry for the "weak" explanation:(