Security

Reply
Highlighted
Aruba

Re: Service config for EAP-TLS with external certificate provider (MDM)

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/m-p/93548/highlight/true#M6702

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)

So this is a pretty basic question I realise, but why would AD be involved in authentication?

 

I would have thought the certificate itself is the authentication if it is signed correctly. Perhaps some attributes of the cert can be accessed and queried in AD but this would be an authorisation function.


--
ACMA ACMP
Aruba

Re: Service config for EAP-TLS with external certificate provider (MDM)

All the certificate is, is a means to securely present your user credentials. You will still need the AD to authenticate the username that is presented by the cert. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)

Thanks Troy,

 

It wasn't initially clear how this worked, but after a couple of days in the lab it makes sense.

I took the MDM out of the equation and just focused on the CA. The bit that was missing from my understanding is how (in an MS environment) the certificate is issued to a domain member and clearpass uses the UserDN to auth - whether it's a User or Computer.

 

Still a couple of issues, but I will post separate if needed.

 

cheers


--
ACMA ACMP
Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)


@tarnold wrote:

All the certificate is, is a means to securely present your user credentials. You will still need the AD to authenticate the username that is presented by the cert. 


Hi Troy,

 

Would it be fair to say that the certificate itself is a credential? My customer only uses machine certificates and therefore the AD lookup is disabled. CPPM is not configured in any way to communicate with AD.

 

If the machine presents a valid and trusted cert, then they can connect.

 

Regards

 

Chris

 

 

 

 

Guru Elite

Re: Service config for EAP-TLS with external certificate provider (MDM)

Yes

Common name = identity (username)
Certificate crypto = credential (password)

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)

 

> Would it be fair to say that the certificate itself is a credential? My customer only uses

> machine certificates and therefore the AD lookup is disabled. CPPM is not configured in

> any way to communicate with AD.

 

Chris, absolutely.

 

To split hairs about it, the AD part of the authentication is actually step 2.

 

Step 1 of the authentication is the fact you accepted the certificate. By defintion a message that can be decrypted with a public key must have been encrypted by whomever had the private key. If you can read the message and you trust the CA of the cert you've already authenticated them.

 

Step 2 is authenticating an attribute of the cert against AD. Depending on the context this could be considered authorization not authentication. For example if you want to allow any cert on the network but apply a special role to certs belonging to AD users.

 

The clearpass way of doing things doesn't makes these distinctions clear. For example it would make sense  to have an authentication source that is a list of trusted CAs for this service. Instead there is a global trust list and an implicit authentication of the cert.

 

So Chris what are you using as an authentication source for your service, given you have to have something in there?


--
ACMA ACMP
Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)

Hey,

 

Yes, I guess I would consider the AD integration part to be "Authorisation". As you are using an attribute to make a policy decision, post authentication.

 

If I recall correctly, I found that I had to modify the default EAP-TLS 'Authenticaton Method' and untick 'Authorisation'. This allowed me to have NO Authentication Source in the service. 

 

I struggled with this for a while.

 

The customer only needed basic authenitcation, no authorisation. If you have a valid cert then you can connect.

 

I know it works on both wireless and wired dot1x, I often see some strange clent certificates from non SOE devices that are presented to CPPM, these are denied auth (which is to be expected).

 

Regular Contributor I

Re: Service config for EAP-TLS with external certificate provider (MDM)

> If I recall correctly, I found that I had to modify the default EAP-TLS 'Authenticaton Method' and

> untick 'Authorisation'. This allowed me to have NO Authentication Source in the service. 

 

Wow, disable authorisation to allow basic authentication, that is confusing. It is kind of an admission that the AD part is authorisation though :)

 

 

>The customer only needed basic authenitcation, no authorisation. If you have a valid cert then you can connect.

 

Great, hopefully this thread helps someone who needs the same. Again this would make more sense if the CA trust list was an authentication source.

 

 

 


--
ACMA ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: