Security

Hello,

I'd like to create a service that would only work this way : 

A device (printer) has an internal certificate set-up + 802.1x auth

The switch has a 802.1x access policy and will ask clearpass for an authorization and a vlan.

Can I set-up the following on clearpass ?
Get the certificate (EAP-TLS), verify it's valid (according to the CA we imported in the Clearpass (and only this CA)) and return allow profile + vlan

I already created 2 kinds of service that don't really do what i want : 

• a service EAP-TLS standard, that is looking for an user that it extracts from the cert, then looks for this user in the AD (example cert CN is printer1234.contoso.com; clearpass will be looking for user printer1234 in active directory)
  • This will force me to manage 1000s of fake users which i'd like to avoid

• a service EAP-TLS with "Authorization required" disabled (only checks that the cert is valid)
  • This won't need any users in the AD, but I figure any certificate will pass (pretty sure that a lets encrypt cert set-up on the printer would work)

Can you help me figuring out how to make sure the certificate will only match my internal CA/PKI ? Or any alternative ?

Thanks and sorry if it was posted before, i'll try to look it up once more.
Michel.

If you have EAP-TLS with Authorization Required disabled, you can during role mapping and/or enforcement perform additional checks. In this case I would check the Issuer of the certificate, to lock down to a specific client CA, and if there are other attributes for example in the CN printer####.contoso.com, you can use a regex (printer....\.contoso\.com) or a 'begins_with' printer combined with 'end_with' .contoso.com. If you have an external database in which ClearPass can query the CN (or rather the username sent by the client), you may be able to leverage that as well.

BTW, ClearPass will only authenticate client certificates that have their Root CA enabled for the 'purpose' EAP in the Trust List. So unless you enabled Let's Encrypt for EAP, clients won't pass authentication. Regardless, I'd feel checking the Issuer in your policy makes sense, especially if you disable Authorization.

There are many options to do what you want, with more or less effort and more or less 'lockdown' security.

Hello,

I'd like to create a service that would only work this way : 

A device (printer) has an internal certificate set-up + 802.1x auth

The switch has a 802.1x access policy and will ask clearpass for an authorization and a vlan.

Can I set-up the following on clearpass ?
Get the certificate (EAP-TLS), verify it's valid (according to the CA we imported in the Clearpass (and only this CA)) and return allow profile + vlan

I already created 2 kinds of service that don't really do what i want : 

• a service EAP-TLS standard, that is looking for an user that it extracts from the cert, then looks for this user in the AD (example cert CN is printer1234.contoso.com; clearpass will be looking for user printer1234 in active directory)
  • This will force me to manage 1000s of fake users which i'd like to avoid

• a service EAP-TLS with "Authorization required" disabled (only checks that the cert is valid)
  • This won't need any users in the AD, but I figure any certificate will pass (pretty sure that a lets encrypt cert set-up on the printer would work)

Can you help me figuring out how to make sure the certificate will only match my internal CA/PKI ? Or any alternative ?

Thanks and sorry if it was posted before, i'll try to look it up once more.
Michel.