Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

clearpass Server Certificate and neverlethess connection with Iphone

This thread has been viewed 2 times

  • 1.  clearpass Server Certificate and neverlethess connection with Iphone

    Posted Feb 26, 2016 04:55 AM

    Hi,

     

    this is a company with 30 IAP + Clearpass + Airwave.

    1. we had an authentication allowed via AD. works !

    2. now we installed an Certificate on clearpass and i think it works.

    3. Where can i see with wich method i logged in in Wifi ?? Certificate or Username and PW ??

    4. My goal is, that only employees with their notebook have access to the Wifi via Certificate.

    and why i have still access with my iphone to the wifi ? There is somewhere i must change something in clearpass right ?

     

    thx

    Salvatore



  • 2.  RE: clearpass Server Certificate and neverlethess connection with Iphone

    EMPLOYEE
    Posted Feb 26, 2016 06:17 AM

    Do your laptops use EAP-TLS ro do they also use PEAP/MsCHAPv2?



  • 3.  RE: clearpass Server Certificate and neverlethess connection with Iphone

    Posted Feb 26, 2016 07:07 AM

    Hi,

     

    on the Laptop we set PEAP with certificate control.

    On clearpass we set the following authentication sequence: 1. TLS and 2. PEAP.

     

    If we remove the PEAP, we don`t have access to the wifi.

    If we added again everything works fine.

     

    Now i want understand, where i can see in which method i logged in ?

    second: What must be configured on clearpass to use first: certificate and then maybe UserName and PW ?

     

    Thx

    Salvatore

     

     



  • 4.  RE: clearpass Server Certificate and neverlethess connection with Iphone

    EMPLOYEE
    Posted Feb 26, 2016 07:23 AM

    So it looks like both of your devices (your laptops and your phones) are using EAP-PEAP/MsChapV2.

    There is no certificate checking, except on the client side.  The server does not check certificates and the clients only submit username and password.  It does not look like you are using TLS.

     

    If you want to  keep phones off of the network with username and password is to use Machine Authentication:  EDIT:  Please use the method here :  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/td-p/58918/highlight/true/page/2

     



  • 5.  RE: clearpass Server Certificate and neverlethess connection with Iphone
    Best Answer

    Posted Feb 26, 2016 08:13 AM

    Hi,

     

    when i check Monitoring Access Tracker i see:

     

    Action Methods: EAP-PEAP,EAP-MSCHAPv2

     

    Why ?

    Under my Authentication Methods i have

    1. EAP TLS

    2. EAP PEAP

     

    why he user the PEAP first ? and how can i check if my Certificate is installed correctly or functions correctly ?



  • 6.  RE: clearpass Server Certificate and neverlethess connection with Iphone
    Best Answer

    Posted Feb 29, 2016 05:21 AM

    Hi,

     

    i think we can close this Topic.

    Solution was, i added our certificates to the trustet List and now it works.

    We receive the following Message:

    Access Tracker - Live Monitoring:

    Authentication Method: EAP-PEAP,EAP-TLS  <<<--- think thats right.

     

    Thx

    Salvatore