Security

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

Auth Service, the only Auth Methods are enabled are TEAP and TLS. The TLS method has Auth Disabled, and the TEAP method is using that same TLS method. 

EntraID works as expected for Authorization (eventually.. ). Everything functions as expected, the only issue is that it seems to 'spin it's wheels' for awhile trying to find that user in the local database which doesn't exist. The authentication process is taking ~3.5 seconds to complete because of this. Very similar settings with an AD auth source enabled where it can find the user in AD completes MUCH faster. We are just trying to remove all reliance on AD and move to EntraID, thus removing AD from Auth Sources. 

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

Have you tried this with [Endpoints Repository] set as the authentication source rather than [Local User Repository]?

Auth Service, the only Auth Methods are enabled are TEAP and TLS. The TLS method has Auth Disabled, and the TEAP method is using that same TLS method. 

EntraID works as expected for Authorization (eventually.. ). Everything functions as expected, the only issue is that it seems to 'spin it's wheels' for awhile trying to find that user in the local database which doesn't exist. The authentication process is taking ~3.5 seconds to complete because of this. Very similar settings with an AD auth source enabled where it can find the user in AD completes MUCH faster. We are just trying to remove all reliance on AD and move to EntraID, thus removing AD from Auth Sources. 

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

Endpoints Repository as an Auth Source fails completely when both TEAP and TLS are active on the Service. This is interesting because I THOUGHT that this issue was fixed by disabling Require Auth in the TLS service, as I had tested this in the lab.. Both these issues together make me think that Require Auth is not really disabling even though I have it un-checked? Just to be sure I went back and checked the box, saved it, tested (same issue), then un-checked it, saved, and STILL the same issue.. 

This is what happens with the combination of TEAP, TLS, and Endpoints Repository. If I remove TLS from the service this goes away. If I remove Endpoints Repository this goes away. It's the combination of those three settings. 

As a test, removed the TLS auth method, and everything worked fine (and it found the device in the endpoint repository, so even TEAP alone is still trying to 'Authenticate' the connection in Endpoints DB.

Have you tried this with [Endpoints Repository] set as the authentication source rather than [Local User Repository]?

Auth Service, the only Auth Methods are enabled are TEAP and TLS. The TLS method has Auth Disabled, and the TEAP method is using that same TLS method. 

EntraID works as expected for Authorization (eventually.. ). Everything functions as expected, the only issue is that it seems to 'spin it's wheels' for awhile trying to find that user in the local database which doesn't exist. The authentication process is taking ~3.5 seconds to complete because of this. Very similar settings with an AD auth source enabled where it can find the user in AD completes MUCH faster. We are just trying to remove all reliance on AD and move to EntraID, thus removing AD from Auth Sources. 

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

Disabling the authz check just means that the matching of the supplied username to a valid account doesn't have to happen during the authn check, not that the lookup doesn't happen.  The source(s) specified in the Auth Source are still checked for the purpose of the authorization step.

There are likely still some other issues in your configuration based on the alerts you are receiving, the identity privacy shouldn't be causing alerts as that works just fine with EAP-PEAP.  But I've also never seen someone attempt TEAP against Entra ID and there be no discussion of the Intune extension.

Endpoints Repository as an Auth Source fails completely when both TEAP and TLS are active on the Service. This is interesting because I THOUGHT that this issue was fixed by disabling Require Auth in the TLS service, as I had tested this in the lab.. Both these issues together make me think that Require Auth is not really disabling even though I have it un-checked? Just to be sure I went back and checked the box, saved it, tested (same issue), then un-checked it, saved, and STILL the same issue.. 

This is what happens with the combination of TEAP, TLS, and Endpoints Repository. If I remove TLS from the service this goes away. If I remove Endpoints Repository this goes away. It's the combination of those three settings. 

As a test, removed the TLS auth method, and everything worked fine (and it found the device in the endpoint repository, so even TEAP alone is still trying to 'Authenticate' the connection in Endpoints DB.

Have you tried this with [Endpoints Repository] set as the authentication source rather than [Local User Repository]?

Auth Service, the only Auth Methods are enabled are TEAP and TLS. The TLS method has Auth Disabled, and the TEAP method is using that same TLS method. 

EntraID works as expected for Authorization (eventually.. ). Everything functions as expected, the only issue is that it seems to 'spin it's wheels' for awhile trying to find that user in the local database which doesn't exist. The authentication process is taking ~3.5 seconds to complete because of this. Very similar settings with an AD auth source enabled where it can find the user in AD completes MUCH faster. We are just trying to remove all reliance on AD and move to EntraID, thus removing AD from Auth Sources. 

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?

That could be, it still does the lookup, just doesn't completely fail if not found. I can't tell based on what I'm looking at now if the 'delay' I am seeing is due the failed lookups, or if that is just EntraID AuthZ delay, because in my test with Endpoints Repository it found the device immediately, but I still had lots of  log messages, and the only other thing going on would be the AuthZ stuff. 

It just seems to me that that the implementation is 'clunky' when EntraID is used as a complete replacement for AD, hopefully that gets better in the future. 

And FYI my Intune extension is configured and working as expected. I'm basically setup exactly how any of the published TEAP guides are configured, but those all have AD as an Auth source, I do not, and instead have EntraID as an AuthZ source. 

Disabling the authz check just means that the matching of the supplied username to a valid account doesn't have to happen during the authn check, not that the lookup doesn't happen.  The source(s) specified in the Auth Source are still checked for the purpose of the authorization step.

There are likely still some other issues in your configuration based on the alerts you are receiving, the identity privacy shouldn't be causing alerts as that works just fine with EAP-PEAP.  But I've also never seen someone attempt TEAP against Entra ID and there be no discussion of the Intune extension.

Endpoints Repository as an Auth Source fails completely when both TEAP and TLS are active on the Service. This is interesting because I THOUGHT that this issue was fixed by disabling Require Auth in the TLS service, as I had tested this in the lab.. Both these issues together make me think that Require Auth is not really disabling even though I have it un-checked? Just to be sure I went back and checked the box, saved it, tested (same issue), then un-checked it, saved, and STILL the same issue.. 

This is what happens with the combination of TEAP, TLS, and Endpoints Repository. If I remove TLS from the service this goes away. If I remove Endpoints Repository this goes away. It's the combination of those three settings. 

As a test, removed the TLS auth method, and everything worked fine (and it found the device in the endpoint repository, so even TEAP alone is still trying to 'Authenticate' the connection in Endpoints DB.

Have you tried this with [Endpoints Repository] set as the authentication source rather than [Local User Repository]?

Auth Service, the only Auth Methods are enabled are TEAP and TLS. The TLS method has Auth Disabled, and the TEAP method is using that same TLS method. 

EntraID works as expected for Authorization (eventually.. ). Everything functions as expected, the only issue is that it seems to 'spin it's wheels' for awhile trying to find that user in the local database which doesn't exist. The authentication process is taking ~3.5 seconds to complete because of this. Very similar settings with an AD auth source enabled where it can find the user in AD completes MUCH faster. We are just trying to remove all reliance on AD and move to EntraID, thus removing AD from Auth Sources. 

In the auth method, assuming TLS, if you disable the "Authorization Required" then no user lookup should happen during the authentication phase and the only check will be if the certificate meets the validity requirements.  After that there will be a lookup during the authorization phase, which will include whatever you put in for the authentication source.

Your log shows a search for anonymous and for the computer name against a local database, but I'm not seeing anything that shows a search of Entra ID.

I suspect the issue is because it is TEAP, not pure TLS, because it is sending the TEAP privacy identity (anonymous)? See attached screenshot where CPPM continuously tries to lookup the account 'anonymous' which obviously does not exist. It eventually just gives up and proceeds. 

Are you saying to have Require Authorization Enabled or Disabled? I specifically have it Disabled due to previous issues as well as recommendation from Aruba Prof Services.  See this thread: https://community.arubanetworks.com/discussion/using-eap-teap-and-eap-tls-on-the-same-service#bm0e84a85c-ba8c-4d1e-9b8d-01938dffa3e9

I do have a TAC case open, their suggestion was 'Don't use TEAP' LOL!

For TLS-only, there will not be an authentication lookup, and I typically use the Endpoint Repository, but any authentication source should work and especially if it's a local one, the response should be immediate. Not seen a 'several second delay' on that side, the delay may be somewhere else in an authorization.

What you should do is make sure the 'Require Authorization' in the EAP-TLS method that you use as inner method for TEAP.

The detailed logs may show where the delay is, but honestly this may be something to look at with TAC Support.

I am configuring TEAP with EntraID as a separate service to avoid conflicts with my legacy authentication services. EntraID does not work as an 'Authentication' Source, only an 'Authorization' source. The only Authentication is the TLS certificate. With this setup an Authentication Source is not needed/used in the authentication service, but it is a required field in Clearpass. If I use another Auth source like Local User DB or Time Source, everything works, but there is a delay in authentication while the service attempts to lookup the username in the authentication source. For example TEAP privacy uses 'anonymous' as a login username, so Clearpass tries for several seconds to look for a user called 'anonymous' in whatever Authentication source I add. Is there any trick or way around this to force Clearpass not to perform an 'authentication' and instead just accept the TLS cert and proceed to Authorization (via EntraID)?