Security

Reply
Highlighted

Re: User authentication with trusted root cert of AD

Hello Ronin101,

 

What you tested is 802.1x authentication EAP/PEAP, the authentication worked because, it is a workgroup machine, and it trusts the server certificate installed on the Clearpass or the server cert validation is disabled on the client's 802.1x configuration.(Incase if it does not trust).

 

Trust list in the Clearpass, does not come in to play for EAP peap, it will be used in Eap TLS, when Clearpass has to check the client certificate.

 

In EAP Peap, you can only check the server cert's validation on client, if it works, by default the auth will work, if it fails, auth will not work. if you want to stop the clients to be able to check/uncheck the cert validation, you could push a AD group policy to disable that access to client machines.

 

If you want to perform certain certification checks on the client from Clearpass to perform, authentication you should do EAP TLS.

 

To sum it all up:

" for your third requirement:

3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine "

 

Is the clearpass server cert signed by "Trusted root CA of AD CS" ? then you can do EAP PEAP, and use the validation option, if not, you need to EAP TLS.

 

hope this helps..

 

--

 

 

 

 

 

 

 

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted

Re: User authentication with trusted root cert of AD

Dear Fayyaz

Just to confirm, if using peap only, there is no way to reject
client(workgroup) authentication if it doesnt have root ca cert installed
right?



ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted

Re: User authentication with trusted root cert of AD

Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine.

 

EAP PEAP, will only check if the client trusts the Clearpass's server cert.  it will not check for any other additional certs on clients, you will need to do EAP TLS for that.

 

--

-If you got what you need with my answer please give kudos and mark it as solution.
Highlighted

Re: User authentication with trusted root cert of AD

Dear Fayyaz,

 

Need to understand your statement

"Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine."

 

In my case, i get a minor warning and then i am able to connect. So auth is not failing in any case if i am using PEAP.




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

Are you getting certificate warning ERROR while connecting to SSID?

 

Does Verify the server's identity is enabled under Ethernet Properties ? We can also  provide list of servers to which client is allowed to connect under "Connect to these servers " option.

 

If certificate is in trust list of client machine it will allow.

Capture.PNG

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted

Re: User authentication with trusted root cert of AD

No its not enabled and point is, can authentication FAIL if its "unchecked"? so far info i have gathered, its not possible.

 

Do you think its possible on workgroup machines without checking validating server identity?




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
MVP Expert

Re: User authentication with trusted root cert of AD

If you are using EAP-PEAP then you have to enable server certificate check validity,

 

Unchecking validity still allows auth to work.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted

Re: User authentication with trusted root cert of AD

Dear Pavan,

 

As a side note, do you have any idea how to import/install user certificate from AD CS on workgroup machines?




ACMP / ACSP / ACCP / ACEP / ACDX # 663
CCIE R/S - 37956
Highlighted
MVP Expert

Re: User authentication with trusted root cert of AD

Check this link to push certificate from AD using GPO

https://www.manageengine.com/sccm-third-party-patch-management/kb/deploy-signing-certificates-using-gpo-how-to.html

 

Manual installing certificate on windows

 

https://support.securly.com/hc/en-us/articles/360026808753-How-to-manually-install-the-Securly-SSL-certificate-on-Windows

 

 


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: