Security

Dear All, 

one of my customer require below to achieve. Please advise what steps might be required

 

1) User will connect from a workgroup machine

2) User will be part of domain

3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine

 

Can it be done using Peap or do i need to use EAP-TLS?

We always recommend to use EAP-TLS, which is more secure compare to EAP-PEAP, it is achievable by EAP-TLS and PEAP as well.

 

 

This can be done with either PEAP/MSCHAP or TLS - though we recommend TLS (PEAP/MSCHAP is too easy to do a MitM and DoS attacks against).

Assuming the ClearPass RADIUS certificate is signed by the ADCS then if the PC does not have the AD's Root Certificate insalled it "should" reject the request. By default the SSID should have "Validate the server's identity by validating the certificate", if the user has access to this setting they could circumvent this - but most domain PCs users should be hardened so that they cannot edit the SSID details.

Dear dmellor,

In my case, user is coming from a workgroup machine. So yes they can
uncheck validate the server identity. Keeping this in mind, is it possible
to reject the authentication if either the root cert is not installed or if
validate cert is unchecked?

If client does not have valid third party root CA or internal ADCS root certificate in trust list auth will fail.

 

You have to add root CA to client trust list for auth to work.

 

In EAP-PEAP, client has to trust server certificate for authentication to work. If client uncheck validate server certificate still auth will work.

 

So what do i need to configure on Clearpass?

Check this Tech note doc.

 

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33311

Dear Pavan

I know how to configure all this. But in order to meet this requirement do
i need to configure something else also? Or normal 802.1x PEAP setup is
enough?

EAP-PEAP setup is enough but we recommend EAP-TLS for better security.

Dear Pavan, 

 

I tried the following but it doesnt work 

1) Downloaded the root CA of my AD CS

2) Imported it under Clearpass (Snapshot attached)

3) Generated CSR and got certificates for Clearpass and installed it (snap attached)

4) Created a simple 802.1x service (PEAP) that will check if tips assigns [user authenticated] role, it will allow access

5) Tried connecting from my workgroup machine which DOESNT have AD CS root CA certificate installed

6) it connects!!

 

The requirement is, this user shouldnt be able to connect. Any ideas what i am missing? 

Hello Ronin101,

 

What you tested is 802.1x authentication EAP/PEAP, the authentication worked because, it is a workgroup machine, and it trusts the server certificate installed on the Clearpass or the server cert validation is disabled on the client's 802.1x configuration.(Incase if it does not trust).

 

Trust list in the Clearpass, does not come in to play for EAP peap, it will be used in Eap TLS, when Clearpass has to check the client certificate.

 

In EAP Peap, you can only check the server cert's validation on client, if it works, by default the auth will work, if it fails, auth will not work. if you want to stop the clients to be able to check/uncheck the cert validation, you could push a AD group policy to disable that access to client machines.

 

If you want to perform certain certification checks on the client from Clearpass to perform, authentication you should do EAP TLS.

 

To sum it all up:

" for your third requirement:

3) User shall not be allowed to authenticate if Trusted root CA of AD CS is not installed on the machine "

 

Is the clearpass server cert signed by "Trusted root CA of AD CS" ? then you can do EAP PEAP, and use the validation option, if not, you need to EAP TLS.

 

hope this helps..

 

--

 

 

 

 

 

 

 

Dear Fayyaz

Just to confirm, if using peap only, there is no way to reject
client(workgroup) authentication if it doesnt have root ca cert installed
right?

Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine.

 

EAP PEAP, will only check if the client trusts the Clearpass's server cert.  it will not check for any other additional certs on clients, you will need to do EAP TLS for that.

 

--

Dear Fayyaz,

 

Need to understand your statement

"Yes, if the Clearpass server cert is different and if clients trusts it, auth will work, irrespective of the cert you are looking for is installed or not, on the client machine."

 

In my case, i get a minor warning and then i am able to connect. So auth is not failing in any case if i am using PEAP.

Are you getting certificate warning ERROR while connecting to SSID?

 

Does Verify the server's identity is enabled under Ethernet Properties ? We can also  provide list of servers to which client is allowed to connect under "Connect to these servers " option.

 

If certificate is in trust list of client machine it will allow.

 

No its not enabled and point is, can authentication FAIL if its "unchecked"? so far info i have gathered, its not possible.

 

Do you think its possible on workgroup machines without checking validating server identity?

If you are using EAP-PEAP then you have to enable server certificate check validity,

 

Unchecking validity still allows auth to work.

Dear Pavan,

 

As a side note, do you have any idea how to import/install user certificate from AD CS on workgroup machines?

Check this link to push certificate from AD using GPO

https://www.manageengine.com/sccm-third-party-patch-management/kb/deploy-signing-certificates-using-gpo-how-to.html

 

Manual installing certificate on windows

 

https://support.securly.com/hc/en-us/articles/360026808753-How-to-manually-install-the-Securly-SSL-certificate-on-Windows