Security

Hi,

Probably a stupid question (hopefully not) but Ill ask anyhow..:smileyembarrassed: 

Usually we use P-EAP wtih MsChapv2 as the innet method and it easy to setup on AOS and CPPM, but we have a customer that wants to use EAP-TLS as the inner method.

As a test we have setup the service on cppm as normal but set the inner method to EAP-TLS and installed a users cert from the AD's CA server (Win 2008 Enterprise edition) but authentication fails with a user not found in the access tracker.

The question I have is does the CPPM need to have anything other than is own cert issued by the AD's CA and obviously the CA's root certificate?

The wireless clients supplicant (Intels Proset in this instance) is setup to use a user cert (TLS) instead of MsCHAP.

regards

Andy

---

@alow wrote:

Hi,

 

Probably a stupid question (hopefully not) but Ill ask anyhow..:smileyembarrassed: 

 

Usually we use P-EAP wtih MsChapv2 as the innet method and it easy to setup on AOS and CPPM, but we have a customer that wants to use EAP-TLS as the inner method.

 

As a test we have setup the service on cppm as normal but set the inner method to EAP-TLS and installed a users cert from the AD's CA server (Win 2008 Enterprise edition) but authentication fails with a user not found in the access tracker.

 

The question I have is does the CPPM need to have anything other than is own cert issued by the AD's CA and obviously the CA's root certificate?

 

The wireless clients supplicant (Intels Proset in this instance) is setup to use a user cert (TLS) instead of MsCHAP.

 

regards

 

Andy

---

Ultimately, you will need to find the proper radius server/supplicant combination that will support whatever you want to do.  This might not be a combination supported by your radius server and supplicant:  http://wiki.freeradius.org/protocol/EAP-PEAP#PEAP-EAP-TLS

Lastly, if this is an enterprise deployment, I would not use the Intel Proset supplicant, because managing your endpoints would require yet another level of software that needs to be changed/configured on the client.  Use the Microsoft Native Supplicant and manage with group policy, if possible.

Strange as clearpass lists the inner method as eap-tls under the computed attibutes of the access tracker.

Ill try it again using the Windows supplicant to see if it does anything differant.

Otherwise the customer will have to live without tls as the inner. 

thanks

Andy

There are a couple of options with authenticating using TLS.   First, you need to verify which you are using from the client side and what you exactly want to do.     Most common deployments using certificate authentication use EAP-TLS

Can you please share an export of the Access Tracker event?

Also, if you use any form of TLS as an authentication method, verify what the Certificate Comparison field is set to? 

Hi Clembo,

The client does have a user cert, which was obtained via the CA's web enrolment portal.

Some screen shots from the access tracker;

When you choose an inner method (EAP-TLS in this case) it uses an existing Authentication Method that is defined on CPPM.   Open up [EAP TLS] authentication method that is defined under Authentication/Methods.  Check to see if authorization is checked and if it is set to compare the certificate.  

You may need to strip your username.

Following the access-tracker, the certificate contains the username 808@home.local; the username in AD is 808, and when sending the full name AD will not recognize that.

In your service, Authentication tab, there is the option to strip the @home.local from the username before it is validated in AD; see screenshot in attachment.

PEAP-TLS (Outer PEAP, Inner TLS) is possible, and one of the ways to permit Microsoft NAP combined with client certificates. NAP requires PEAP outer-tunnel.

Hi Herman,

I will try that.

regards

Andrew

Hi,

Removing the @domain seems to have sorted it, but it only seems to work with the Intel supplicant not the Windows supplicant. 

I did also reinstall my CA is I managed to break it so badly, while fiddling with ndes that it now bsod's permanently .The Old CA was 2008 and the new one is 2008 R2 (both enterprise edition), I dont know if that makes any difference

This should work with the Windows supplicant as well; but it might be that the Windows supplicant uses DOMAIN\user instead of user@domain; you can also strip that format by changing the strip parameters to:

user:@,\:user

Also, check in the access-tracker the exact format of the username sent by your supplicant and make sure you strip it to only the username before sending it to AD.

Andy,

I replayed this scenario in my lab, and had no issues with the Microsoft supplicant. I created a document (attached) to show what I did and how I configured it.

As a bonus, Microsoft NAP configuration and validation is included in this document as well.

The document describes how to configure PEAP-TLS (Outer-tunnel: EAP-PEAP; Inner-tunnel: EAP-TLS) for ClearPass 6.2 and a Windows 7 client, and how to enable Onguard through the NAP in the defaul Windows supplicant.

Attachment(s)

ClearPass-Win7-PEAP-TLS-v1.0-20140114.pdf   5.85 MB 1 version

Thanks for the info, i will be using it tomorrow :  :smileyvery-happy: