EAP-PEAP Authentication With ClearPass And AD

Leave a Comment / By /

Tutorial on how to configure EAP-PEAP Authentication with ClearPass and AD Domain Controller

Join ClearPass to Active Directory Domain

  1. Login to ClearPass VM with appadmin via SSH to verify NTP & Timezone is configured properly and the local time is same with Windows 2019 AD Domain Controller.
[appadmin@CP01]# show date

Mon Jan 18 20:47:40 +08 2021

[appadmin@CP01]# show ntp

===========================================
          NTP Server Information
-------------------------------------------
Primary   NTP  :    time.windows.com

Secondary NTP  :    <not configured>
===========================================

[appadmin@CP01]# show timezone

Timezone is set to 'Asia/Kuala_Lumpur'

[appadmin@CP01]# show date

Mon Jan 18 20:47:40 +08 2021

Verfiy NTP & Timezone via WebUI

EAP-PEAP Authentication With ClearPass And AD

Verify DNS server is pointing to AD/DNS,and click Join AD Domain in Administration > Server Manager > Server Configuration

Enter the FQDN of Domain Controller, with the credential of Domain Administrator and click Save to join to AD Domain

Add AD as Authentication Source

  1. Go to Configuration > Authentication > Source and click Add

  1. Enter a Name for Authentication Source and select Active Directory. Click Next to continue

  1. Enter the hostname of AD Domain Controller with credential of Domain Administrator. Click Seach Base DN to verify the LDAP Connection is established successfully.

  1. Click Next to accept the default value for Attribute page and review the final configuration of Authentication Source. Click Save

  1. Test Login Credentials Against Active Directory via SSH with "ad auth -u USERNAME -n NETBIOS_DOMAIN
[appadmin@CP01]# ad auth -u uat2 -n AVENTISLAB
Password:
NT_STATUS_OK: Success (0x0)

Reference Links

  1. Preparing ClearPass for Active Directory Authentication

AD Users & Groups

Created the following users and groups in AD Domain Controller

  • UAT1 – Staff Group
  • UAT2 – Student Group
Get-ADGroup -Identity Staff | Get-ADGroupMember | Select Name, DistinguishedName

Name      DistinguishedName                       
----      -----------------                       
UAT1 TEST CN=UAT1 TEST,OU=UAT,DC=AventisLab,DC=com

Get-ADGroup -Identity Student | Get-ADGroupMember | Select Name, DistinguishedName

Name      DistinguishedName                       
----      -----------------                       
UAT2 TEST CN=UAT2 TEST,OU=UAT,DC=AventisLab,DC=com

Enforcement Profile

An Enforcement Profile is responsible for applying one or more actions based on the conditions that are matched in the Enforcement Policy.

Create the following two Enforcement Profile in Configuration > Enforcement > Profiles

  • UAT-Staff Enforcement Profile
  • UAT-Student Enforcement Profile

Create UAT-Staff Enforcement Profile from Aruba RADIUS Enforcement Template with action = allow selected. Click Next-> to continue

Enter Staff in the Value box and click Next-> to continue

Review the final configuration and click Save

Repeat the same steps to create UAT-Student Enforcement Profile

Roles and Role Mapping Policy

A Role Mapping Policy ties together distinguishable authentication attributes to a named role that ClearPass can reference and re-use in enforcement policy decisions

Create the following two Role in Configuration > Identify > Roles

  • UAT-Staff Role
  • UAT-Student Role

Enter Name for the new Role and click Save

Create a new Role Mappings called UAT-Role Mappings in Configuration > Identify > Roles Mappings

Name it as UAT-Role Mappings and change the default role to Guest. Click Next to continue

Click Add Rule to add the following two rules

  • Type = Authorization:AD-AventisLab.com
  • Name = memberOf
  • Operator = CONTAINS
  • Value = CN=Staff – Role Name : UAT-Staff Role
  • Value = CN=Student – Role Name : UAT-Student Role

Verify that UAT-Role Mappings is configured as below and click Save

Enforcement Policy

Enforcement Policy is created to assigns Enforcement Profiles based on the assigned ClearPass role. TIPS = Trust and Identity Policy System = ClearPass role

Create a UAT-Enforcement Policy with Default Profile = [Deny Access Profile] in Configuration > Enforcement > Policies. Click Next to continue

Add the following two conditions and click Next to continue

  • Type = Tips
  • Name = Role
  • Operator = MATCHES_ANY
  • Value = UAT-Staff Role Profile Name = UAt-Staff Enforcement Profile
  • Value = UAT-Student Role Profile Name = UAt-Student Enforcement Profile

Verify that UAT-Enforcement Policy is configured as below and click Save

Services

Verify Access License is installed in Administration > Server Manager > Licensing

Create a new Services from Aruba 802.1X Wireless template from Configuration > Service Template & Wizard

Enter a Name Prefix called UAT-ArubaWIFI Service and click Next

Select AD-AventisLab.com as Authentication Source and click Next

Enter Name, IP Address of the Controller and RADIUS Shared Secret and click Next

Click Next to accept the default setting for Posture Settings

Just enter some information to complete this step as we are going to use UAT-Enforcement Policy created earily later. Click Add Service to complete

Double click on the newly created UAT-ArubaWIFI Service Aruba 802.1X Wireless

Change the Name to UAT-ArubaWIFI Service – Optional Step

Assign UAT-Role Mapping in Role Tab

Change the Enforcement Policy to UAT-Enforcement Policy and click Save

Highlight UAT-ArubaWIFI Service and click Reorder to move it to top

Move it to 2nd top and click Save

Testing EAP-PEAP Authentication With ClearPass And AD

Option 1 – Distribute Aruba Selfsign Certificate with GPO

Export the SSL Certificate used for RADIUS/EAP Server Certificate from ClearPass

Convert the PEM to CRT format with openssl

openssl x509 -outform der -in RADIUSServerCertificate.pem -out RADIUSServerCertificate.crt

Import the RADIUSServerCertificate.crt to Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certificate Authorities to ditribute to all domain joined computers for PEAP Authentication

Option 2 – Import AD Root Certificate and use it for EAP

Import the AD Root Certificate by following this link

Select the AD Root Certificate for Service Certificate for UAT-ArubaWIFI Service in Configuration > Services > UAT-ArubaWIFI Service > Authentication

The following error message are displayed if the computer trying to connect to WIFI without Root Certificate installed

  • EAP-PEAP: fatal alert by client – unknown_ca
  • TLS Handshake failed in SSL_read with error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Login to Windows 10 with AVENTISLAB\Administrator and view the log from Monitoring > Live Monitor > Access Tracker

Login to Windows 10 with AVENTISLAB\UAT1 who is member of Staff and view the log from Monitoring > Live Monitor > Access Tracker

Login to Windows 10 with AVENTISLAB\UAT2 who is member of Student and view the log from Monitoring > Live Monitor > Access Tracker

Reference Links

  1. 802.1X WLAN using Aruba Controller & ClearPass

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top