Security

last person joined: 5 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TPM-based attestation with ClearPass

This thread has been viewed 3 times

  • 1.  TPM-based attestation with ClearPass

    Posted Jul 22, 2014 06:30 AM

    Hi,

     

    A potential ClearPass customer requires endpoint authentication/verification using TPM-based attestation.

    Has anybody looked at this or has any ideas on how to approach it ?

     

    I am thinking that there might be a way using a 3rd part service that can do the TPM-based attestation as an additional authentication/authorisation source in CPPM if there isn't a way to do it directly with ClearPass.

     

    Regards

     

     

     

    Ronnie



  • 2.  RE: TPM-based attestation with ClearPass

    EMPLOYEE
    Posted Jul 23, 2014 08:05 AM

    What sort of information is the TPM module sending to clearpass.  If these are Remote APs, then we can authorize to CPPM for a centralized RAP whitelist.  Is this what your customer was alluding to?



  • 3.  RE: TPM-based attestation with ClearPass

    Posted Jul 23, 2014 08:28 AM

    Hi Seth,

     

    Should probably have defined "endpoints'

     

    Customer is refering to laptops and desktops that have TPM on the motherboards and the objective is to be able to detect "perfect" clones which would be identical in all respects, including mac adddress, with the exception of the cryptographic stuff in the TPM.

     

    The exact wording:

     

    "One of these involved the need for NAC to identify a cloned workstation using unique hardware properties such as TPM as part of the security posture assessment."

     

    Without a way to address this ClearPass does not get on the short list implying at least one of the competitors can.

     

    Regards

     

     

     

    ROnnie

     



  • 4.  RE: TPM-based attestation with ClearPass

    EMPLOYEE
    Posted Jul 23, 2014 01:13 PM

    As long as we can get something consistent about the context of these devices, this shouldn't be an issue.



  • 5.  RE: TPM-based attestation with ClearPass

    Posted Jul 23, 2014 01:51 PM

    Hi Seth,

     

    Nice statement but how ?

     

    How do we query the "TPM" or "Something that talks to TPM" from ClearPass ?

     

    It seems that Aruba thinks it is unimportant but Google (and DuckDuckGo) reveals NSA HAC (High Assurance Computing) ond other hits, some EDU. Why is this being ignored when it seems to be the logical next step ?

     

    Regards

     

     

     

    ROnnie



  • 6.  RE: TPM-based attestation with ClearPass

    EMPLOYEE
    Posted Jul 23, 2014 02:59 PM

    I am not a TPM expert per se but I did some digging and Clearpass is a solution (RADIUS) that accepts authentication requests from an endpoint.  That endpoint has to have a supplicant either built into the OS or external app that can utilize the TPM functionality.  From what I gathered, using a TLS certificate stored in the TPM is how this is done with EAP-TLS via machine authentication.  Clearpass can understand this and you can write policy based on information housed within this cert.  

     

    However, your original question is about attestation which differs from authentication as noted below.  So, any theory about an authorization source may or may not be feasible depending on requirements

     

    Attestation:

    • Providing evidence about a target to an appraiser
    • Used for predicting future target behavior

    Authentication:

    • Identification of a machine or user
    • Usually, another partner in a protocol 

     

    I would advise to talk directly with your Aruba representation locally in your area to have a productive conversation about solving this use case.