Airheads Breakouts

 View Only

  • 1.  authentication strict enforcing workaround via Clearpass

    Posted 4 hours ago

    Hi,

    setup : client uses cert to authenticate to the wifi

    We use Central which currently passes authentication requests to a Windows nps.  Works, not an issue.

    Due to Microsoft pushing strict enforcing an sid in the certificates (KB5014754) we're facing a challenge.  Or we change every user certificate (takes some time).  Or for a limited time, we check for a workaround.

    On a controller based setup, you can terminate eap-tls requests on the controller itself.  Basically, that's saying if you have a valid certificate that's fine.

    This is not possible in Central.   I checked on nps level, it's not possible to disable strict enforcing there.  I played around with a few settings, but currently i don't think we can bypass this issue on nps level.

    I was wondering, do we have a possible workaround with Clearpass?  In Clearpass you can setup a radius service, which validates users finally via ldap (port 389) to a domain controller.   That's basically the same thing we do with Fortinets for vpn users.  We know this last one does not suffer from this issue.

    Maybe it's also possible to terminate the request on Clearpass itself?



  • 2.  RE: authentication strict enforcing workaround via Clearpass

    Posted 3 hours ago

    In ClearPass you can perform the authentication based on the certificate trust alone. In addition to this you can also perform authorization based on the identity provided in the certificate or information stored in the client certificate.

    If you have Active Directory and your client certificates have the samaccount name or the UPN in a field in the certificate, ClearPass can search this information in the AD, retrieve group membership and other information needed for role assignment.

    In case you don't have AD you can query Entra ID or Intune, in this case you must have the EntraID or IntuneID in the certificate.

    In some cases you can base the authorization on information in the certificate, like certificate issued by CA 1 or CA 2 get different roles.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



Related Content