Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

WPA-PSK+portalwithoutauth+whitelistsites

This thread has been viewed 1 times

  • 1.  WPA-PSK+portalwithoutauth+whitelistsites

    Posted Sep 04, 2013 02:36 PM

    I need to simplify access to the secure network that currently uses 2 mixed schemes:

    1.-EAP-TLS with Certificates (cert windows services), radius log:
      Proxy-Policy-Name = Use Windows authentication for all users
      Authentication-Provider = Windows
      Authentication-Server = <undetermined>
      Policy-Name = Allow Remote Access
      Authentication-Type = EAP
      EAP-Type = Smart Card or other certificate

    and

    2.-EAP-PEAP (Username / Password):
      Proxy-Policy-Name = Use Windows authentication for all users
      Authentication-Provider = Windows
      Authentication-Server = <undetermined>
      Policy-Name = Allow Remote Access
      Authentication-Type = PEAP
      EAP-Type = Secured password (EAP-MSCHAP v2)

    Is mixed because some devices (many phones) do not support install certificates or user is very difficult.

    The first method is very complicated for almost any user.
    The second method is not as complicated but some devices need the "Certificate CA Chain" other (mostly android) need to configure "phase 2" (MS-CHAPv2), others forget the network.

    It occurred to me to put a essid WPA-PSK (not open for many devices connect automatically without the user know or want) access only to a server to generate and download the certificates (certificate and Certificate Chain User-Certificate Provider server, Autority server-Certificate).

    Any idea how to do it or a better idea?...

     



  • 2.  RE: WPA-PSK+portalwithoutauth+whitelistsites

    Posted Sep 05, 2013 02:58 AM

    If you are using Windows Server with ADCS it allready have a web interface where your users can download certificates for the device and the CA certs.

    So what you would need to do is basiccaly to just either make a CP with a link to that ADCS web interface with instructions, or you could just redirect directly to the ADCS Web interface instead of going through the CP.

    Just remember to allow traffic to the ADCS IP address ;)



  • 3.  RE: WPA-PSK+portalwithoutauth+whitelistsites

    Posted Sep 06, 2013 11:17 PM

    Thank you Nesvik

     

    I need to redirect to an external infomational web page (no authentication) to show some manuals, news and then the link to ADCS.

     

    By the way: We have some issues with 2 things:

    1.-Captive Portal redirecction (slow, no secure site warning, somethimes "authentication disabled" messages, etc.) and

    2.- ADCS like: A lot of security warnings (no Third party CA :( ), some MSwindows versions doesn´t install in the the correct container the AC/ACProvider (chain), some users are getting lost by the "many steps", activex blocked, bad time zone, etc...

     

    Any idea to do something more automatized for the users (without clear pa$$)?

     

    Regards.