Wireless Access

Reply
Occasional Contributor I

Clearpass policy that validates two separate certificates

I currently have a policy in place that validates one certificate for providing authentication. My boss wants us to have a policy that authenticates the USER then authenticates the Device. He wants both to be authenticated by our AD, but he wants the information to come from two different certificates. Can this be done? I'm not sure how I'd chain two authentication profiles. 

Highlighted
MVP Guru

Re: Clearpass policy that validates two separate certificates

What type of device ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: Clearpass policy that validates two separate certificates

The environment shakes like this: We have a Clearpass server, two 7030 controllers, a mobility master and about 20 APs. The only devices we'd want to authenticate will either be lenovo laptops or dell towers. No mobile devices.

MVP Guru

Re: Clearpass policy that validates two separate certificates

Are those part of the domain ? If so it is possible
But need to make sure the wireless/wired profiles are configured to do computer or user authentication (those settings can be pushed via a group policy)



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: Clearpass policy that validates two separate certificates

Yes, all devices will be domain joined. We do not want non-domain devices on our network. As for the wired and wireless policy, we already set them up for user and computer authentication.

 

A better question is this: How do I set up clearpass to test one policy, then the other? 

MVP Guru

Re: Clearpass policy that validates two separate certificates

You can use the tips role =[ machine authenticated] and apply a different profile or use a different service just for the machine auth and add the condition authentication > full-username > begins with > host/ and assign a different policy / profile





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
MVP

Re: Clearpass policy that validates two separate certificates

Please note that the computer certificated can be automatic enrolled through a GPO policy but the user certificate is enrolled after the user logged in once. This require that the AD is reachable with only computer authenication to make (new) user certificate enrollment posible, or just connect once to an open interface.

 

When you have some computers that are shared between different users this can have some challenge. Thats why i'am personally choose for computer authentication only in most cases.

 

I look forward to see your test results!

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Occasional Contributor I

Re: Clearpass policy that validates two separate certificates

I just have a few more questions. My understanding is that [machine authenticated] is just an endpoint that the clearpass server has seen before. Can I configure it to do an AD lookup and confirm that the host is still active in the domain? 

MVP Guru

Re: Clearpass policy that validates two separate certificates

The [machine authenticated] is assigned when a domain device has successfully authenticated

ClearPass caches the machine authenticated information which allows you to use it when the user logs in



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: