Security

Reply
Highlighted

User authentication with trusted root cert of AD

Dear All, 

one of my customer require below to achieve. Please advise what steps might be required

 

1) User will connect from a workgroup machine

2) User will be part of domain

3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine

 

Can it be done using Peap or do i need to use EAP-TLS?




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956

Accepted Solutions
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

If you are using EAP-PEAP then you have to enable server certificate check validity,

 

Unchecking validity still allows auth to work.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

We always recommend to use EAP-TLS, which is more secure compare to EAP-PEAP, it is achievable by EAP-TLS and PEAP as well.

 

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Aruba Employee

Re: User authentication with trusted root cert of AD

This can be done with either PEAP/MSCHAP or TLS - though we recommend TLS (PEAP/MSCHAP is too easy to do a MitM and DoS attacks against).

Assuming the ClearPass RADIUS certificate is signed by the ADCS then if the PC does not have the AD's Root Certificate insalled it "should" reject the request. By default the SSID should have "Validate the server's identity by validating the certificate", if the user has access to this setting they could circumvent this - but most domain PCs users should be hardened so that they cannot edit the SSID details.

Highlighted

Re: User authentication with trusted root cert of AD

Dear dmellor,

In my case, user is coming from a workgroup machine. So yes they can
uncheck validate the server identity. Keeping this in mind, is it possible
to reject the authentication if either the root cert is not installed or if
validate cert is unchecked?



ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

If client does not have valid third party root CA or internal ADCS root certificate in trust list auth will fail.

 

You have to add root CA to client trust list for auth to work.

 

In EAP-PEAP, client has to trust server certificate for authentication to work. If client uncheck validate server certificate still auth will work.

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: User authentication with trusted root cert of AD

So what do i need to configure on Clearpass?



ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

Check this Tech note doc.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33311


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: User authentication with trusted root cert of AD

Dear Pavan

I know how to configure all this. But in order to meet this requirement do
i need to configure something else also? Or normal 802.1x PEAP setup is
enough?



ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

EAP-PEAP setup is enough but we recommend EAP-TLS for better security.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: User authentication with trusted root cert of AD

Dear Pavan, 

 

I tried the following but it doesnt work 

1) Downloaded the root CA of my AD CS

2) Imported it under Clearpass (Snapshot attached)

3) Generated CSR and got certificates for Clearpass and installed it (snap attached)

4) Created a simple 802.1x service (PEAP) that will check if tips assigns [user authenticated] role, it will allow access

5) Tried connecting from my workgroup machine which DOESNT have AD CS root CA certificate installed

6) it connects!!

 

The requirement is, this user shouldnt be able to connect. Any ideas what i am missing? 




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: