Security

Hello Guys ,

I'm testing the ClearPass Onboarding using Amigopod 3.9.2.

onboarding process is working fine using two Kid's one with Captivator and another one is TLS based , but the issue now that any user can connect to the TLS based SSID using the AD credential and download the certificate without going through onboarding process.

How we can make sure that the user is going through the onboarding process before connecting to the TLS based SSID.

Thanks ,

Anas

Anas,

It sounds like your RADIUS server is setup to support both PEAP and EAP-TLS if user are able to authenticate just with their username and password. If PEAP is disabled or an authorization check implemented to ensure that the EAP method is TLS based you should be able to control the use of this SSID.

Hi Cam  ,

Thanks for your reply ,

Yes my Radius server is configured to support both EAP-TLS and PEAP with MSCHAPv2 , as we need to do onbording not only for iOS devices but also for Windows and Andriod devices using the same SSID .

So disabling PEAP will not solve the problem , please can you share with me any example for authorization check implementation , I'm not able to find any smellier case ( to check if the device has gone through the Onboarding process or not ).

Thanks ,

Anas

Just to confirm; is your goal to keep two SSIDs or use one?   Then, you are providing unique ClearPass credentials to the devices?

If you are using one SSID, a typical scenario may be similar to the following:

• Configure authentication for the network as EAP-TLS and PEAP-MSCHAP v2
• Setup different roles on the controller and setup the authentication services on ClearPass to support both AD and ClearPass authenticaiton and the following:
• If PEAP passes (with AD credentials) put the user in a provisioning logon role to redirect to captive portal
• If EAP-TLS passes (with a unique cert) put the user in a post-provisioned role
• If PEAP passes (with unique credentials) put the user in a post-provisioned role

Anas,

I am not sure which RADIUS server you are using but if you were leveraging the ClearPass Policy Manager there are some great enforcement policies that can be applied by inspecting the outer EAP or potentially the authetnication source being used.

For example, if the RADIUS transaciton was based on a AD authenticated PEAP authentication then we know that this device has not been through the Onboard process and therefore should have a role returned that redirects the device to the provisioning portal. If the RADIUS transcation was based on EAP-TLS or authenticated against the Onboard Devices repository, we know this is an Onboarded device and can confidently return the post authentication role.

Hope this helps

Cam.

Hi Cam and Clembo ,

Thanks for the Ideas ...

I'm using Amigopod as Radius Server , and as you mentioned above I moved to one SSID approach with assigning deferent Authorization rule based on the Radius Authentication   ( TLS or AD ) , and onboarded on the Radius Returned Rule the wireless controller will allow the client if it's already onboarded and give the Authenticated Role , or return it to the onbording CP if not.

 Tested and working fine now :smileyhappy:

Thanks ,