Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

VIA client with certificate based authentication and mobility controller/clearpass

This thread has been viewed 14 times

  • 1.  VIA client with certificate based authentication and mobility controller/clearpass

    EMPLOYEE
    Posted Apr 07, 2020 08:56 AM

    Hello!

     

    I previously had a VIA client -> virtual mobility controller -> clearpass setup to test client connection authentication (password based), which I have setup and tested successfully (RADIUS authentication through Clearpass).

     

    Since then I have been trying to change the setup to certificate based, but I am failing badly!!!! My knowledge of certificate types and how they work is quite poor, which is partly the problem, so let me start with some basic questions and statements which I hope you can confirm.

     

    1. I can load the VPN profile successfully from the controller which highlights the configuration is now using IKEv2 and authentication-type: user-cert.

     

    2. The certificates offered in the VIA client, do not show however the server certificate, which I would expect the VIA client to receive from the mobility controller. Is this assumption correct?

     

    3. I have generated a server certificate, using my own CA/OpenSSL and installed this (both at Mobility Controller and the controller instance level below it)

     

    4. Under configuration -> services -> VPN -> General VPN, I have selected the pre-installed server certificate for VPN clients. I have done this at both levels mentioned under point 3. 

     

    5. There is another menu point called "Certificates for VPN clients" in the same GUI section below General VPN. I do not understand what this is for.

     

    6. Are there any changes needed at the Clearpass level to enable certificate based authentication?

     

    7. Once the VIA client has received the controller server certificate, do I still need to re-authenticate with the users credentials?

     

    Any help and hints on the above would be much appreciated.

     

    Best regards,

    Scott



  • 2.  RE: VIA client with certificate based authentication and mobility controller/clearpass

    Posted Apr 07, 2020 09:02 AM

    Do the following :
    - Upload the CA certificate of the CA that issued the client cert (MD>Services>VPN>CA Certificate asssiged for VPN clients).
    - Upload the ClearPass RADIUS certificate (MD>Services>VPN>Certificate groups for VPN clients)
    - Enable IKEv2 and eap-tls under the VIA Connection profile instead of user-cert
    - In ClearPass you will need a service that supports PAP and EAP-TLS
    - PAP is to download the VIA profile
    - EAP-TLS will allow the user to authenticate the user to authenticate via certificate based authentication



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile



  • 3.  RE: VIA client with certificate based authentication and mobility controller/clearpass

    EMPLOYEE
    Posted Apr 08, 2020 01:27 PM

    Hi Victor,

     

    Thanks for your prompt reply.

     

    Based on your feedback my understanding of the communication flow is as follows:

    1. VIA Client connects through mobility controller to Clearpass and authenticates itself through PAP to be able to download VIA VPN Profile. 

    VIA-VPN-Profile.png

    2. Now that the I have changed the VIA connection profile setting to EAP-TLS, the VIA client will attempt to authenticate using EAP-TLS.

    3. As part of the EAP-TLS handshake, the mobility controller sends the Clearpass RADIUS certificate to the VIA client which it attempts to authenticate (using public key retrieved from CA)

    4. Next the clients certificate (configured in the controller under CA certificates for VPN clients) is sent through the controller to Clearpass server for authentication

    5. If successful authentication access is given.

     

    Is this flow correct?

     

    The problem for me is still the following:

    1. I am using only self-signed certs with no CA. This means I would have to install import the clearpass certs on the client and import the client cert into clearpass. Correct?

    2. I have configured the EAP-TLS authentication in the RADIUS service, but I didn't see how to link this with the client certificate.

    3. Why did you suggest to import the Clearpass RADIUS cert on the controller? I could do this but I couldn't assign this to the VPN client cert list.

     

    The very last comment I have is that I do not see any error messages on in Clearpass in the Event Viewer or Access Tracker. I just see the PAP client authentication successful.

     

    Your help is much appreciated.

     

    Thanks,

    Scott

     



  • 4.  RE: VIA client with certificate based authentication and mobility controller/clearpass

    Posted Apr 09, 2020 05:52 PM

    I do certs with Aruba VIA all the time without the radius.  If you want this type of configuration example and even practice certs, let me know and I can share how I do things.  Otherwise there are lots of Clearpass experts here, something that I am not. 



  • 5.  RE: VIA client with certificate based authentication and mobility controller/clearpass

    EMPLOYEE
    Posted Apr 09, 2020 06:51 PM

    Hi!

     

    I would certainly be interested in this as an alternative. I guess this requires the "user-certs" setting in VIA connection profile, instead of EAP-TLS.

     

    Any infos you can share would be much appreciated. Maybe I can use this as the basis to extend the solution to include clearpass authentication.

     

    Regards,
    Scott