Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Striping prefix \ suffix clearpass

This thread has been viewed 7 times

  • 1.  Striping prefix \ suffix clearpass

    Posted Nov 01, 2012 04:57 PM

    Hello,

    I would like to strip the prefix and the suffix of my machine authentication as the full name is not in the active directory.

    I was able to do it for users but not machines.

    Currently I have host/computername.domain.net

    I would like to strip the host/ and the domain.net

    for users I did user:@ but how can I achieve this for machines.

    Thanks.

     



  • 2.  RE: Striping prefix \ suffix clearpass

    Posted Nov 01, 2012 06:54 PM

    There should be no need to strip the host or the domain name portion when doing machine authentication through CPPM to AD on the backend; I have this working in some environments.  If it is failing, what does the Alerts tab say for the failed event under Access Tracker?



  • 3.  RE: Striping prefix \ suffix clearpass

    Posted Nov 02, 2012 08:37 AM

    he claims that the user is not found although its a computer certificate.

    AD_Authentication - x.y.a.b: User not found.
    EAP-TLS: Authentication failure, unknown user



  • 4.  RE: Striping prefix \ suffix clearpass
    Best Answer

    EMPLOYEE
    Posted Nov 02, 2012 08:54 AM

    Who issued the certificate?  What CA?  CPPM might be looking up the "user" in the CN and trying to find it in AD.  You might want to make a copy of the EAP-TLS method and in the copy, uncheck "authorization".

     

     

     



  • 5.  RE: Striping prefix \ suffix clearpass

    Posted Nov 02, 2012 08:58 AM

    yes!

    thanks alot.

    i totally didnt think about it.

     



  • 6.  RE: Striping prefix \ suffix clearpass

    Posted Nov 02, 2012 09:03 AM

    sorry to bother again, can you please explain this?

    now i got the certificate working fine \ user and computer certificate.

     



  • 7.  RE: Striping prefix \ suffix clearpass

    EMPLOYEE
    Posted Nov 02, 2012 09:07 AM

    I am only guessing here, because I do not know your deployment:

     

    In the EAP-TLS method, there is an option to ensure that the "user" in the certificate actually exists in active directory.  What field you actually compare to a user is also configurable in the EAP-TLS method.  It is a way to ensure that the "user" that the certificate was issued to actually exists.  When you turn this on, you need to make sure that the right field in the certificate is compared against the user, otherwise it will not work.  You can turn this off and as long as the certificate has not expired, it will allow the device to get on.

     

    EAP-TLS quite frankly can be very involved, so I am only speaking generally.



  • 8.  RE: Striping prefix \ suffix clearpass

    Posted Nov 02, 2012 09:26 AM

    I get the point,

    what I care mostly is to authenticate the machine and less the user, we will issue computer certificate with custom attribute to verify vs. the active directory.



  • 9.  RE: Striping prefix \ suffix clearpass
    Best Answer

    EMPLOYEE
    Posted Nov 02, 2012 09:31 AM

    Well, you don't need to accomplish machine-only with TLS and client-side certificates.  You can accomplish this with regular PEAP.

     

    You can set up a group policy where only the machine authenticates on the wireless side:  http://support.microsoft.com/kb/929847  You can also accomplish this with group policy:  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx



  • 10.  RE: Striping prefix \ suffix clearpass

    Posted Nov 02, 2012 09:33 AM

    i wanted the TLS for extra security.