Security

Hello,

I'd like to make EAP-TLS authentication for end users using the VIA clients with ClearPass. I can't find any documentation on this and I'm new on ClearPass.

On my aruba controller:

-I activated the licences (VIA PEFV)

-Created the PSK

-Created the VPN Pool

-Created the VIA Users Role, the VIA Authentication Profile, the VIA Conneciton Profile and the WEB Connection Profile.

Do I need to upload a certificate on my controller?

I configured the authentication servers on my controller but what do I have to configure on my Clearpass to enable EAP-TLS for VIA's users?

Regards,

Little bit late reply.

No need for a certificate on the controller. The trust is between the client and the radius server (Clearpass in this case). The only certificate you may need is for the via profile download (normal ssl/https certificate), but you can run without. You will get a certificate validation warning when downloading the VIA profile and using the default or no certificate.

The role assigned in the via auth-profile needs to refer to a via connection-profile which has ikev2 enabled and ikv2auth set to eap-tls.

The connection profile also needs an auth-profile which contains the right radius server group.

If no auth-profile is present in the connection-profile, it uses the default auth-profile, which by default authenticates to the controller's internal db and not to your radius server.

Below a config sniplet summarizing the above:

user-role eaptls-via-role

pool l2tp via-pool

via "EAP-TLS"

access-list session allowall

aaa authentication via auth-profile "EAP-TLS"

    default-role "eaptls-via-role"

    server-group "lab-vpn"

    no cert-cn-lookup

{ The server-group "lab-vpn" is a group containing the radius/Clearpass server(s) }

aaa authentication via connection-profile "EAP-TLS"

    server addr “12.34.56.78” internal-ip 10.0.0.1 desc “VIA” position 1

    auth-profile “EAP-TLS” position 1                       

    tunnel address 192.168.2.0 netmask 255.255.255.0

    split-tunneling

    ikev2-proto

    ikev2auth eap-tls

On Clearpass you need to add the VIA controller as a Device using the right Radius shared secret.

You can use a standard EAP-TLS service (e.g the EAP-TLS template for wireless), but the NAS-Port-Type is different for a VPN connection.

For VPN, the NAS-Port-Type = Virtual (5) .

Clearpass needs to trust the CA issuing the client certificates. Add the trust chain of the CA signing the Client certificates to the Clearpass trust list.

And of cousre Clients need to trust the Radius/Clearpass certificate

Hello,

I've all the cretificate chain trusted on my ClearPass.

I've enable ikev2 EAP-TLS on my Controler.

My Client has a trusted certificate (same chain as trusted one on ClearPass).

But i still have issues with EAP-TLS authentication (look at file attached).

I don't get what I'm missing as I'm able to authenticate user in EAP-TLS on a WLAN with the same ClearPass and Controler.

Thank oyu,

Regards

I just checked my lab setup and I noticed a VPN certificate was installed (I guess for a different test in the past). After removing the certificate, I noticed that VIA EAP-TLS authentictions stopped working.

This doesn't make sense, as the controller is not in the 'trust path' (trust is between Radius server an Client.

I will investigate further and will raise a bug if needed.

Could you try adding a certificate to your controller and use that certificate as VPN certificate (Configurtation -> Service -> VPN -> General VPN: Server-Certificate for VPN Clients)? You could just use your Clearpass Radius certificate for this.

Hello,

"Could you try adding a certificate to your controller and use that certificate as VPN certificate (Configurtation -> Service -> VPN -> General VPN: Server-Certificate for VPN Clients):"

Should I use a PFX Server Certificate?

"You could just use your Clearpass Radius certificate for this."

Can I generate it from my ClearPass?

Thank you,

Regards,

Yes, you can export your Clearpass radius certificate with the private key by specifying a password (Administration -> Certificates -> Certificate Store and click Export button. It will a create a P12 file. 

This file you can import into the controller with Certificate Type "ServerCert" and with Certificate format "PKCS12". Provide the same password as you entered when exporting the certificate. Also give it a useful name, like Clearpass-radius-cert for example. Next, select this certificate as VPN Server certificate on the controller.

However, I just noticed the jpg file with the error message, and that seems to be different issue. In my case, when no VPN Server certificate is configured, I don't receive a radius request at all.

It turns out that my earlier statement about the need for a VPN server certificate was wrong. Sorry about that. Even when using VIA EAP-TLS, the VPN Server certifiacte is required.

The VPN Server certificate is needed for the initial EAP session. The TLS session happens inside this EAP session.

You should NOT be using your EAP server certificate on the controller.

Obtain a certificate for the controller that matches the VIA FQDN.