Security

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?

Disable authorization on the EAP-TLS method and handle any cert comparison in policy.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 22, 2021 01:36 PM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?

Great, thanks. I will try it that way.
Regarding the order of the Authentication Sources, I would put the CPPM Guest-DB first and the Active Directory second, right? So that the AD will not be requested each time a BYOD user authenticates. Or would that result in a bad performance for the EAP-TLS authentications?
Original Message:
Sent: Mar 22, 2021 07:54 PM
From: Tim C
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Disable authorization on the EAP-TLS method and handle any cert comparison in policy.

------------------------------
Tim C

Original Message:
Sent: Mar 22, 2021 01:36 PM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?

It probably is marginal, but you probably should put the authentication source with the highest chance of being used (where most of the users using the service are in) first. In case you have a possible collision in the usernames, put the source that is most important first. If there is a close call between those, take a local one (Guest) over a remote (AD). If you can filter based on the username, for example your TLS clients all authenticate as user@ad.domain.name, and guests are plain username or different @domain, you can create separate services for your TLS and PEAP/GuestDB users and avoid the discussion.

You can even put Active Directory in the Authorization servers and only put the GuestDB for your PEAP users as the authentication source. If you are worried about getting into performance issues, it may be good to get some external consultancy to have a look at your design.
​​​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 23, 2021 03:32 AM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Great, thanks. I will try it that way.
Regarding the order of the Authentication Sources, I would put the CPPM Guest-DB first and the Active Directory second, right? So that the AD will not be requested each time a BYOD user authenticates. Or would that result in a bad performance for the EAP-TLS authentications?
Original Message:
Sent: Mar 22, 2021 07:54 PM
From: Tim C
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Disable authorization on the EAP-TLS method and handle any cert comparison in policy.

------------------------------
Tim C

Original Message:
Sent: Mar 22, 2021 01:36 PM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?

Or you could split them into two separate services, add to the service definition 

Authenticate, OuterMethod = EAP-PEAP or EAP-TLS to make it match the rule and only have the relevant Auth-Source in each of the service policy.

Then you get a 1:1 match on the service rule match and no searching of an Auth=Source that would fail.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Mar 23, 2021 05:25 AM
From: Herman Robers
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

It probably is marginal, but you probably should put the authentication source with the highest chance of being used (where most of the users using the service are in) first. In case you have a possible collision in the usernames, put the source that is most important first. If there is a close call between those, take a local one (Guest) over a remote (AD). If you can filter based on the username, for example your TLS clients all authenticate as user@ad.domain.name, and guests are plain username or different @domain, you can create separate services for your TLS and PEAP/GuestDB users and avoid the discussion.

You can even put Active Directory in the Authorization servers and only put the GuestDB for your PEAP users as the authentication source. If you are worried about getting into performance issues, it may be good to get some external consultancy to have a look at your design.
​​​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 23, 2021 03:32 AM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Great, thanks. I will try it that way.
Regarding the order of the Authentication Sources, I would put the CPPM Guest-DB first and the Active Directory second, right? So that the AD will not be requested each time a BYOD user authenticates. Or would that result in a bad performance for the EAP-TLS authentications?
Original Message:
Sent: Mar 22, 2021 07:54 PM
From: Tim C
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Disable authorization on the EAP-TLS method and handle any cert comparison in policy.

------------------------------
Tim C

Original Message:
Sent: Mar 22, 2021 01:36 PM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?

EAP properties cannot be used in service rules as they are negotiated after service categorization.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 23, 2021 02:19 PM
From: Danny Jump
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Or you could split them into two separate services, add to the service definition 

Authenticate, OuterMethod = EAP-PEAP or EAP-TLS to make it match the rule and only have the relevant Auth-Source in each of the service policy.

Then you get a 1:1 match on the service rule match and no searching of an Auth=Source that would fail.

------------------------------
Danny Jump
"Passionate about CPPM"

Original Message:
Sent: Mar 23, 2021 05:25 AM
From: Herman Robers
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

It probably is marginal, but you probably should put the authentication source with the highest chance of being used (where most of the users using the service are in) first. In case you have a possible collision in the usernames, put the source that is most important first. If there is a close call between those, take a local one (Guest) over a remote (AD). If you can filter based on the username, for example your TLS clients all authenticate as user@ad.domain.name, and guests are plain username or different @domain, you can create separate services for your TLS and PEAP/GuestDB users and avoid the discussion.

You can even put Active Directory in the Authorization servers and only put the GuestDB for your PEAP users as the authentication source. If you are worried about getting into performance issues, it may be good to get some external consultancy to have a look at your design.
​​​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 23, 2021 03:32 AM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Great, thanks. I will try it that way.
Regarding the order of the Authentication Sources, I would put the CPPM Guest-DB first and the Active Directory second, right? So that the AD will not be requested each time a BYOD user authenticates. Or would that result in a bad performance for the EAP-TLS authentications?
Original Message:
Sent: Mar 22, 2021 07:54 PM
From: Tim C
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Disable authorization on the EAP-TLS method and handle any cert comparison in policy.

------------------------------
Tim C

Original Message:
Sent: Mar 22, 2021 01:36 PM
From: Stephan x
Subject: ClearPass Service with multiple Auth.-Sources for EAP-TLS and PEAP

Hi,
we need to have Employees with EAP-TLS and BYOD users with EAP-PEAP on one SSID. Is it possible to have both the Active Directory for EAP-TLS and local CPPM Guest-DB for EAP-PEAP as Authentication Sources within one CPPM Service?