Security

Hello ,

 

is it possible to return an action for auth fail from Clear pass

 

For example , if machine certificate expired or machine account disabled in AD , the dot1x will still hit EAP-TLS rule but clearpass will reject it . But as auth will fail , can we return a Guest vlan as enforcemnt for this auth fail .

 

My query is if one auth method fail , for example EAP-TLS in above case . is it mandatory for machine to initiate second method defined which is MAC auth . cant we simply return an Auth fail action even if EAP-TLS fails and machine (endpoint) does not need to do MAC auth as second auth defined

"Failures" are handled by creating the conditions for allowing an ACCEPT, and assigning a role, or action to that.

 

For instance, if your device doesn't pass OnGuard posture checks, CPPM 'accepts' the authentication, but passes a role to quarantine the user. 

---

@cppmadmin wrote:

Hello ,

 

is it possible to return an action for auth fail from Clear pass

 

For example , if machine certificate expired or machine account disabled in AD , the dot1x will still hit EAP-TLS rule but clearpass will reject it . But as auth will fail , can we return a Guest vlan as enforcemnt for this auth fail .

 

My query is if one auth method fail , for example EAP-TLS in above case . is it mandatory for machine to initiate second method defined which is MAC auth . cant we simply return an Auth fail action even if EAP-TLS fails and machine (endpoint) does not need to do MAC auth as second auth defined

---

If this is wireless 802.1x, it requires an accept for the client to be able to obtain an ip address, vlan, etc.  If 802.1x fails, there is nothing you can do to provide client connectivity after that.

 

As a suggestion, what you could do is send your users email warnings that their certificate is expiring some time before it actually expires. You can, in parallel, do a similar thing in ClearPass to check the remaining lifetime of the certificate and return a captive portal explaining that the certificate should be renewed before it expires as there will be no access after that date and the helpdesk may be required to gain access to the network again. That captive portal could also contain instructions on how to renew the certificate via a self-service process.

 

If you need the lifetime of the certificate, you may choose to issue certificates with an additional few weeks of lifetime to allow this warning process.

 

Bottom line, make sure certificates are renewed before they expire.

Hi all, the requirement is what if dot1x authentication fails( either a certificate expired or account disabled)

What is the fallback option for client .On switch we have defined dot1x and mab

Does the laptop initiate mab once dot1x fails or can we make it work? Is there any setting which can make the laptop initiate the mab request after dot1x fails .

There must be some fallback

On wireless with WPA-Enterprise (802.1X) there is no fallback, as the TLS session cannot be established without valid certificates, and there is no fallback to unsecured or so because authentication and encryption setup are combined in the same process.

 

On wired, you can configure the client supplicant to 'Fallback to unauthenticated access' on Windows, in which case it will just start communicating and trigger a MAC authentication.

 

Expired certificates is an area where you don't want to go, and if you need to go there test heavily with all possible clients as the client (type, version, configuration) plays a big part in how the experience will be.