Security

Hello Airheads,

 

We are using ClearPass to authenticate users on our Wifi network.

The authentication method provided is "EAP-PEAP,EAP-MSCHAPv2" using Active Directory as our Authorization Source.

 

What's our situation?

Some of our users aren't aware that, whenever they change their Active Directory account password, they also have to change their wifi password on their phone.

 

Possible solution

We would like to help users by sending them a reminder e-mail whenever a 'User authentication failed' error message occurs. I know ClearPass 'Insight' can send alerts using email, however: you manually have to specify each E-mail address (https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Get-an-email-alert-from-CPPM-when-we-see-quot-n-quot-failed-auth/ta-p/234952).

 

Since we're using the users email address as username, it would be ideal if ClearPass could use this attribute to send the email to.

I've also found this ClearPass smtp snippet on github (https://github.com/aruba/clearpass-exchange-snippets/tree/master/messaging/clearpass-smtp) but I have no idea how I tell the json format to use 'Username' field.

 

Any help would be great!

 

Thank you,

Michael

Legacy EAP methods like PEAP should not be used. Have you considered moving to EAP-TLS which is more secure and does not involve any password changes?

Sorry I've been out of office since then. I will take a look at the solution you provided. Will report back as soon as I can!

 

Edited:

Just checked the difference between EAP-PEAP and EAP-TLS and I understand that EAP-TLS requires client certificates (and server certificates) rather than username/password and server certificate.

Eventhough this will be a more secure solution, we're not able to switch at this point. We will definitely look at the possibilties, but it would be great if I could still make a notification mail for the EAP-PEAP solution.

 

Thank you!

Michael