Security

Reply
Contributor I

User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

We have ClearPass 6.7.9 and I have completed around 90% of the configuration but I can't get the user authentication working.  We want to have a single SSID with EAP-TLS utilising an internal CA for domain computers and PEAP MSCHAPv2 utiliising a public CA certificate for non-domain computers.

 

We have the computer authentication using the same internal CA working perfectly.

 

We imported the COMODO certificate into ClearPass but in the (user authentication) service there is only a single drop-down menu to select the certificate.  How do I specify that the internal CA certificate should be used for EAP-TLS and the COMODO certificate should be used for PEAP MSCHAPv2?

 

If a create two user authentication services (one for EAP-TLS and one for PEAP MSCHAPv2) the user authentication request is always matched against the first service - EAP-TLS in our testing.  The authentication request for non-domain computers utilising PEAP MSCHAPv2 would then be rejected with "EAP: Client doesn't support configured EAP methods".  I can't use the "Authentication:OuterMethod" attribute to separate the requests as it is always "EAP".

 

Any assistance would be greatly appreciated.

Guru Elite

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

You don’t. Both sets of clients need to be configured to trust the same EAP server certificate.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

To use a single certificate would require a reduction in security.  We either use a public CA certificate for EAP-TLS, which is not recommended, or import the domain CA root/intermediate certificates onto third party clients, which is also not recommended.

 

Other AAA servers, including Microsoft's free NPS service, support this configuration.  Surely ClearPass can be configured for this configuration.

Guru Elite

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

There is zero difference in security level with regard to the EAP server certificate issuer.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

The customer's security policy requires all domain computers to authenticate using their domain CA.  This leaves me "in a pickle" when it comes to authenticating contractors, who really act as full time staff members, but utilise their own laptops.

 

We currently use Microsoft NPS with the "Allowed EAP Type" condition to separate the EAP-TLS and PEAP MSCHAPv2 authentication types.

 

If ClearPass is not capable of supporting this we may just return it and keep the NPS AAA service.

Guru Elite

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

The EAP server certificate has NO relationship to the client certificate used for EAP-TLS.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor I

Re: User Auth using EAP-TLS with an internal CA cert and PEAP with a public CA cert

Tim, thanks for your help with this.

 

So you are saying that the service certificate assigned to the user authentication service should be signed by a public CA so both domain computers (EAP-TLS) and non-domain computers (PEAP MSCHAPv2) will trust it?  The domain computers will continue to use the certificates signed by the domain CA independent of ClearPass while the non-domain computers will utilise the service certificate for phase 1 of PEAP.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: