Security

I have 2 computers I am testing with. One joined to the Active Directory Domain and the other is not.

I have Clearpass set up as my authentication server and I am using AD as my CA. 

1. I started my test with the non-domain laptop which had the  validate server certificate checked and Trusted Certificate Authority unchecked. When I attempt to connect, I get a pop up from windows that tells me I need to "Terminate or Connect" . I click connect and everything works as intended. I verified in the Protected EAP settings that the correct Trusted CA is selected. 

2.I started with the same settings on the Domain laptop ,Validate server certifcate checked and Trusted Certificate Authority unchecked. To my surprise, the client is connecting to the network. No pop-up for the cert. I have also tested selecting random Trusted CA and they all work. 

Has anybody experienced this?

Could it have something to do with the laptops being joined to AD and having the same root CA?

Correct. When a computer joins an AD domain, IIRC the Domain cert is installed on that laptop as a trusted root cert. So this would explain your result.

1.  The CA that issued the certificate to the radius server probably is not the same one that is in your non-domain client's trust list (compare the serial numbers).

 

2.  If your CA is domain-integrated, domain clients will automatically trust whatever is issued by it.  Since you only Clicked on Validate, it will trust ANY CA in its trust list.  If you specified servers, it would only trust those specific servers/CA's.

I have taken my test a step further and removed the CA from the trusted list on the client. I am still able to connect .  Is there something I'm missing on the Clearpass configuration that would allow this client to connect?

 

That's a client side only check. The only time ClearPass would validate a cert would be if EAP-TLS was in use.

Windows should not be connecting if a completely different chain is selected. Can you post a screenshot of the supplicant configuration?


Thanks,
Tim

Mwade,

 

Did you disconnect the user from the controller's user table before rejoining?

 

 

---

@cjoseph wrote:

Mwade,

 

Did you disconnect the user from the controller's user table before rejoining?

 

 

---

Disconnecting the user does nothing. I'm testing both controller and IAP and the results are the same on both.

Mwade,

 

Please open a TAC case in parallel.  You could have something configured that we cannot see.

 

The certificate/CA checking is done 100% on the client side, so it is a client side configuration issue.

 

---

@cjoseph wrote:

Mwade,

 

Please open a TAC case in parallel.  You could have something configured that we cannot see.

 

The certificate/CA checking is done 100% on the client side, so it is a client side configuration issue.

 

---

Thanks for the quick reponse. I have a TAC case open on the issue already . I wanted to reach out to the community to see if anybody could provide any information that would help move the process along.

To test further, I removed the Active Directory Cert installed on CPPM and replaced it with a self-signed cert and the supplicant exhibited normal behavior.
I fail when trying to validate server cert and pass when I uncheck the validate server option.

The self-signed cert is not valid so I can't test a successful verification but this is progress.
This test appears to identify the Active Directory Cert on CPPM , in realtion to the Domain PC, as the root problem.
Now, how to fix it?

This is "normal". It's a client side check only. Not checking a CA means all CAs will be trusted.


Thanks,
Tim

How does that explain successful authentication when I select a random CA?