Security

I have a new requirement which is to be able to have a computer join the domain wirelessly. We are currently using EAP-TLS for the authentication method on our domain computer, but I've been preparing to move to PEAP-MSCHAPv2 (user and machine auth) as it fixes issues with first time users on a multi user device..

 

The computer to join is fresh, no domain or clearpass certificates on the device yet.

 

What would a recommended method be to get these to connect to either an EAP-TLS SSID(or MSCHAPv2 or another method) so that they can join the domain?

 

AFAIK, there is no way to do that.  A computer would likely need to machine authenticate to do "domain stuff" on the network (the reboot, get past ctrl-alt-delete), and all of those would require a machine certificate that is not issued before a domain join.

David,

I read two topics in your question: 1) how to allow domain computers to access the domain controllers before the login, so that users that never logged in before on the computer can be validated and authenticated to the domain. 2) how to join the computer to the domain if there is no connection (classical chicken-egg problem).

 

In order to join a client to the domain, IP connectivity between the client and the domaincontroller(s) is required. There are many ways to achieve that. What most companies do (in my experience) is connect the clients either to wired 'staging' ports to join the system to the domain; which can be done from the unauthenticated VLAN as well which can also be used to PXE image the system. You can even create an automatic whitelist that as soon as the client does a domain authentication it is automatically added and use that whitelist to place the clients in a PXE staging VLAN that allows both the imaging and the domain join.

 

As you are explicitly looking for a wireless method, you basically have the choice of three: open, WPA2-PSK, WPA2-Enterprise; and allow access to the domain controllers from those networks. As you may have noticed, connecting to a WPA2-Enterprise network from a non-domain system can be pretty challenging; so I would avoid that route myself, but it is possible as long as it provides IP connectivity to the domain controllers to do the domain join.

 

For the other item, you triggered me that you consider moving from TLS to MS-CHAPv2. MSCHAPv2 has been broken (since 1999 already) and should not be used unless you have full control over the endpoints to prevent the client from connecting to a rogue authentication server. As you are speaking about domain computers, this full control might be the case if you deploy everything right. Just want to make sure the risks of MS-CHAPv2 are clear to you. Check https://www.youtube.com/watch?v=50fO3j4NgyQ to see what happens if you not have control or properly configure.

 

The way to solve the issue of pre-login access is to deploy computer certificates. And if you want to switch to user authentication as well, you should have client certificates as well. This all can be done with Microsoft Certificate Services (MSCS) and group policies.

 

The flow would be that before the user logs in, the computer authenticates with its computer certificate and you can allow the client access to the domain controller and other services that need to be present before login (DNS, update services, etc.); then you either use computer authentication only or if you need user authentication you can switch to the user certificate.

Herman - Unfortunately PEAPv0 is the only option in environments where user and machine identity are required and devices are shared between multiple users. In these situations, locking down the supplicant via GPO is recommended.

Herman,

First of all, thank you for your youtube videos, I watched most of them already while learning how to get my clearpass setup

 

I think I failed to properly convey my problem. The question is: How do I/is it possible to join a computer to the domain over 802.1x wireless. 

We currently either plug the units in to a port assigned to a VLAN where they can enroll in the domain, or over our old wireless that uses PSK. 

 

I do have full control over the endpoints here, but TLS would be preferable as the more secure method as long as it meets the same requirements.

 

I have the pre-login access all figured out for EAP-PEAP-MSCHAPv2, with roles for machine only auth, user only auth, and machine+user auth. I was thinking I could allow access to the domain with user only auth roll (manually entered credentials, and check for specific memberships), so that the computer may be joined to the domain.

If that is possible with EAP-TLS as well, great. I've been having difficulty doing machine only auth using TLS. I'm testing on a broken XP laptop that keeps reseting the wireless properties (once in a while it sticks), so that could be a problem.

 

Tim,

 

Are you saying that EAP-PEAP-MSCHAPv2 is the only method that works for user and machine auth? Or any auth that uses outer layer peapv0? I'm getting a better understanding of the auth methods but still in a bit of confusion.

My recommendation would be to create a limited access role on your open/guest network that uses AD authentication and does a short MAC cache. You can use a policy that allows only your IT group to log in to this state.

 

For your original question, if you're supporting multiple users on devices (shared devices) and still require both computer and user identity, your only option is PEAPv0/EAP-MSCHAPv2.

 

How would your proposed method work?

Our open/guest network is set to our DMZ vlan, and I already have AD auth with mac caching on that guest network for our employees who have been authorized to connect with personal devices.

 

I was just able to test using only MSCHAPv2. I changed the connection properties on the client to do user only auth, using manual credentials instead of cached and not verifying the server certificate. I was correctly assigned the user only auth role where I was able to join the domain with proper credentials.

This seems to be satisfactory, however feels less secure as I'm not verifying the sever cert. I'll need to ensure the proper restrictions are put in place for this role, as I think the only use for this role will be for joining the domain.

 

I feel like there is something I could do to make this more secure. Thoughts?

Use a server-initiated login that disconnects the user. On re-authentication, drop them into a limited internal access role.

 

You should never use PEAP or EAP-TTLS without verifying the server certificate CN/SAN and issuing CA.

My Guest network (captive portal) is currently on controller-initiated login, are you suggesting to change that to server-initated, or having a secondary page that uses server-initiated? I believe with server-initiated I'll need to setup a webauth service, correct?

 

I agree, turning off server certificate validation isn't good.

Yes, I’d recommend creating a separate web login to handle this. You’d need a webauth service as well.

I'll give this an attempt Just two more followup questions.

 

1: I don't see any issue with only having the 1 Guest SSID, and instead of logging in at the default captive portal redirect, have the admin thats joining the client to the domain manually go to the server-initiated login URL. This can help limit the SSIDs and keeps that login page somewhat hidden. Is there anything wrong with that?

2: I'm trying to find a good guide for making webauth services, as I haven't set one up yet. They act differently than the other services I've created. Can you help point me in the right direction for one?

1) That should work

2) There’s nothing specific documented. Essentially, it will be a one rule enforcement policy where you check group membership, OU, etc for valid users and then send an [Aruba Terminate Session].

I'm unsure what I should have as the default profile here. In other services I would generally use a deny-access profile but that doesn't seem to be an option.

 

 

For my understanding, the Aruba Terminate Session would cause the client to reconnect/authenticate to that connection. How does this help us in our scenerio? If it's just to cache the MAC address, we are already doing that in the controller-initated login.

As our guest network has a static VLAN assignment, you'd still be authenticated to a network that is seperate from the domain that we want to device to join.

I have an Idea that might work. Use the controller-initated login, try dynamic VLAN assignment on the IAP for the SSID, have a user account with a specific membership that is checked for, have an enforcement profile that applies a value for Tunnel_private-Group-ID, and assign an internal VLAN for if the tunnel-private-group-ID has that value.

Just use a CoA as the default.

After the user authenticates, the CoA would get issued. Once the device reauthenticates, you’d use the MAC cached information to drop them into a user-role with an internal VLAN.

I'm having difficulty trying this out.

In the WebAuth I'm setting the Endpoint Guest Role ID to a value.

In the MacAuth enforcement profile, I'm checking the Endpoint Guest Role ID to see if it matches the expected value. this is the first condition check in that profile, but I am instead put on the captive portal profile from the last condition check.

 

Should I be using something other than Endpoint:Guest Role ID?

Did you confirm that the endpoint definitely has the value?

The value shows in the endpoints attributes

Looks like I forgot to attached the authentication username to the endpoint in the enforcement profile, so that correct enforcement profile is being hit, however I'm not getting the VLAN reassignment.

I have the dynamic VLAN setup in the IAP to see if the tunnel private group Id is set to the given VLAN, so the controller is okay.

The tunnel private group ID is set in one of the enforcment profiles applied

I'm trying various combinations of assigning attributes in the Web-Auth service, followed with an aruba terminate session so that the client hits the Mac Auth service.

I've tried several different ways of assigning a VLAN from the mac auth service, but that VLAN change isn'y occuring on the client.

 

Is it possible to assign a VLAN from a mac auth service?

Yes, you absolutely can. Are you seeing the VLAN being assigned on the output tab?

Below is showign the output tab and vlan assignment. 

 

Hm, that should be working. Please open a TAC case or work with your Aruba ClearPass partner.

I also noticed after the aruba terminate session, the MAC auth will fail, even when the correct attributes are shown in the endpoint and it has marked as known. After manually reconnecting the client it will then pass MAC auth, almost as if it's trying to do the MAC auth before the endpoint has been created from the service initiating the terminate session.. Very abnormal behaviour.