Security

I want to setup CAC smarcard login for admin access to Clearpass. Has anyone gotten this working?

Certificate based management authentication is available starting in CP 6.5. 


Thanks, 
Tim

6.5 is quite new, right? Have any bugs reared their heads yet?

---

@cappalli wrote:
Certificate based management authentication is available starting in CP 6.5. 


Thanks, 
Tim

---

 

I personally haven't found any issues. 


Thanks, 
Tim

We're getting approval to upgrade to 6.5. Is there a guide about doing it, or some other resource that might be helpful?

I don't think there is a deployment guide specifically for that quite yet, but there is some information in the 6.5 User Guide. It may be best to reach out to your Aruba or partner team.

 

 

Requires 4 steps:

 

- Create a Web Login page enabled as SAML IdP

  -- Set Vendor Settings to "Single Sign-On - SAML Identity Provider"

  -- Set Client Certificate to "Required - require a client certificate from the user"

  -- Set Authentication to "Certificate Only - no username or password required" 
- Run the Certificate/Two-Factor Authentication for ClearPass Application Login service template to create the appropriate services

  -- Select the Applications for which you want to enable certificate authentication

  -- Select the Authentication Source (though this wont be used if you're only using certificates)

  -- Select the IdP page you created above

  -- Specify the enforcement details (essentially you're mapping certificate attributes to operator privileges). You can tweak these later by editing the appropriate Enforcement Profile

- In Configuration > Identity > Single Sign-On (SSO)

  -- Set the IdP URL to your Web Login page (e.g. https://<CPPM>/guest/idp.php)

  -- Insure SSO is enabled for the applications you want

- Add the root/issuer of your client certificates to Administration > Certificates > Trust List 

 

I would suggest just enabling SSO for Insight as a starting point. You can then test by browsing to https://<CPPM>/insight. This prevents locking yourself out of the Policy Manager or Guest until you have the workflow down. If you've done everything correctly, when you hit the Insight page, you'll be redirected to the Web Login page which will prompt for a client certificate. Select your client cert and submit. The client cert should be accepted as your credential and you should be logged into Insight.

I used rfiler's very excellent instructions. I'm now getting prompted for a certificate and get to select it and enter my PIN. After that, I get redirected to https://<the server name of the device>/networkservices/saml2/sp/acs (I got to it by the IP address originally) and Internet Explorer's "cannot display the webpage" screen.

 

Did my brain block out a chunk of the instructions and I just forgot to do something?

if you are still stuck did you try with other browsers? other version of ie?

 

you might try with something else then certificate first and then move there.

It doesn't work at all in Firefox. It goes straight to "You must provide a valid certificate". That could be a configuration that is forced on us by GP, but it will never change. Chrome can't be installed here, and we are locked in to our IE version (9).

 

I've gotten around the redirect issue by making a hosts entry on my PC. Now after I get prompted for the certificate I get "HTTP Status 403 - RelayState missing/invalid" and "Access to the specified resource has been forbidden". However, if I close that window and go back in, it takes me staight in. It doesn't even prompt for a PIN, which is a problem, but I'm cautiously optimistic.

Is the cert installed in Firefox? Firefox uses it's own cert store.

Thanks,
Tim

When I use 'Certificate only - no username or password required' option on the Web Login page settings, I do not see the 'username' field filled out on the authentication request. Is there a way to map the certificate common name to the username field so that I can look up authorization attributes from LDAP later on?

It looks like I've got things worked out. What I was missing:

• Add a 1 second log in delay to the web login page. That prevents the issue I was having with getting a not authorized page and having to go back in.
• Go to Configuration » Identity » Single Sign-On (SSO)  and set Identity Provider (IdP) URL to use the device name rather than the IP address. That got rid of our certificate errors.

 

I do have a question about the screenshot I attached. What is the function of Identity Provider (IdP) Certificate? I have that blank, and it appears to be working.