Hello Herman, I agree with René; good and straightforward video.On a small note for everyone who, just like me, tries to reproduce what Herman is building.When you configure the Certificate Authority you need to have Certificate Templates which have Auto enroll enabled. Otherwise you don’t get the certificate pushed.I myself copied the 'Workstation Authentication' and 'User' Templates. Then In the security tab I enabled the auto enrolment for Domain Computers and Domain Users respectively.
Rens, thanks for adding that. I do see that I have indeed an Arubalab User template in my CA. I setup the CA far before I recorded the video, so had to do depend on my memory what I had to change in the past. I'm not sure if the Computer template had to be replicated, and I'm pretty sure that in older versions of Windows Server, like 2003 Server, you HAD to copy the templates in order to make things word. It seems that in Server 2016, which I used for this workshop, the templates are better fit and need less modification. If I find time, I might redo the AD server installation and CA installation; that is just a lot of work ;-) I think with your suggestion most people should be able to reproduce the automatic certificate enrollment.
Hello Herman, Is there any video for Mac OS X machine authentication same as above, as you did for Windows machine, our company is trying for Mac OS machine?
Hi Herman, keep up the good work as these videos are of great help (not easy to find how-to guides on CPPM :-))! If you need suggestions on what to cover in future, I would suggest Onboard.
Hi, once again great work. do you mind covering a little more the windows settings for EAP-TLS, specifically the "validate the server's identity" and "connect to these servers" the reason i am asking is because i have always tried to make my connection fail by changing the name of the server I am connecting to but it doesn't matter, it always connects so i am not sure what is the option for
@Ricardo Villarreal: Good suggestion for a video, let me find a moment to create content around that. In summary, with the validate server identity there are 2 parameters: Connect to these servers and Trusted Root CAs. The 'Connect to these servers' ensures that the name of the RADIUS certificate (in the workshop it is radius.arubalab.loc) matches what you configured there. So if you put radius.arubalab.loc in there, your client should ONLY connect if the presented certificate matches radius.arubalab.loc. In the Trusted Root CAs, you can select that the RADIUS certificate can only be issued by the selected CAs. In our lab, we select our Lab CA. If the client sees the RADIUS cert with the proper name, but from a non-selected CA, it will still reject to authenticate. So for a secure deployment: - Tick: Validate Server Certificate - Tick: Connect to these servers, and fill in the name (CN/SAN) for your RADIUS certificate(s) - Tick: the CA that issued your RADIUS certificate. I like the topic and will schedule a video on this.
yes, that totally makes sense and that is what the theory says all over the internet :) but i have tried to test this in Windows 8.1 and regardless of the name i put for the servers it still connects which is weird to me. And thanks for taking the time to reply our comments.
Another nice video Herman. A question please. Do I need to have both user and machine certificates on a client machine to be able to use "User or Computer authentication" under the client's 802.1x settings? Is it possible to have only machine certificate and still use EAP-PEAP and EAP-TLS without using EAP-MSCHAPv2?
For the setting User or Computer authentication you will need both a user and a computer certificate with EAP-TLS. If you prefer just computer authentication, you should configure your client for Computer authentication only. You cannot mix TLS and MSCHAPv2, for example TLS for computer certificated and MSCHAPv2 for user authentication in PEAP. If you do user & computer, the authentication method has to be the same.
Hi Herman, can you please help ? What if we want to authenticate both with username and if the computer is added to the domain ? Like username and computer authentication.
That is a client setting. You can configure your Windows client to do 'User / Computer authentication', what it will do then is first when connecting use the computer account and after that change to user authentication. The ClearPass built-in [Machine Authenticated] role will be applied for computers that have gone through a computer authentication. In the Enforcement stage you can use that (cached) role to put domain authenticated computers in different roles.
@@hermanrobers Thank you Herman for your reply. So we cannot avoid of not configuring anything on client side ? I mean doing all in clearpass itself and nothing on client side.
Herman's using a Windows Server Certificate Authority, he does show that at the beginning and that's assumed otherwise the video would need to be somewhat longer. I cover CA setup in the last 5 mins of this video: ruclips.net/video/IxXJKWqrA_M/видео.html
Hello Herman, I agree with René; good and straightforward video.On a small note for everyone who, just like me, tries to reproduce what Herman is building.When you configure the Certificate Authority you need to have Certificate Templates which have Auto enroll enabled. Otherwise you don’t get the certificate pushed.I myself copied the 'Workstation Authentication' and 'User' Templates. Then In the security tab I enabled the auto enrolment for Domain Computers and Domain Users respectively.
Rens, thanks for adding that. I do see that I have indeed an Arubalab User template in my CA. I setup the CA far before I recorded the video, so had to do depend on my memory what I had to change in the past. I'm not sure if the Computer template had to be replicated, and I'm pretty sure that in older versions of Windows Server, like 2003 Server, you HAD to copy the templates in order to make things word. It seems that in Server 2016, which I used for this workshop, the templates are better fit and need less modification. If I find time, I might redo the AD server installation and CA installation; that is just a lot of work ;-) I think with your suggestion most people should be able to reproduce the automatic certificate enrollment.
Great Job Herman!
Hello Herman,
Is there any video for Mac OS X machine authentication same as above, as you did for Windows machine, our company is trying for Mac OS machine?
Hi Herman, keep up the good work as these videos are of great help (not easy to find how-to guides on CPPM :-))! If you need suggestions on what to cover in future, I would suggest Onboard.
Hi Herman's away this week but we'll make sure he gets your suggestion. Thanks for watching!
Got it, and there will be Onboard (planned, and also OnGuard and Guest) in some of the later Workshop videos.
Hi Herman, good and straightforward video. Maybe you can extend the setup with EAP-TLS with OCSP support
Hi, once again great work. do you mind covering a little more the windows settings for EAP-TLS, specifically the "validate the server's identity" and "connect to these servers" the reason i am asking is because i have always tried to make my connection fail by changing the name of the server I am connecting to but it doesn't matter, it always connects so i am not sure what is the option for
@Rene Jorissen: Thanks, good topic. Let me find a good moment to put that in video (for ADCS); may be combined with Onboarding.
ABC Networking , with onbarding will be perfect as it fill that options for you automatically when it downloads the profile
@Ricardo Villarreal: Good suggestion for a video, let me find a moment to create content around that. In summary, with the validate server identity there are 2 parameters: Connect to these servers and Trusted Root CAs. The 'Connect to these servers' ensures that the name of the RADIUS certificate (in the workshop it is radius.arubalab.loc) matches what you configured there. So if you put radius.arubalab.loc in there, your client should ONLY connect if the presented certificate matches radius.arubalab.loc. In the Trusted Root CAs, you can select that the RADIUS certificate can only be issued by the selected CAs. In our lab, we select our Lab CA. If the client sees the RADIUS cert with the proper name, but from a non-selected CA, it will still reject to authenticate.
So for a secure deployment:
- Tick: Validate Server Certificate
- Tick: Connect to these servers, and fill in the name (CN/SAN) for your RADIUS certificate(s)
- Tick: the CA that issued your RADIUS certificate.
I like the topic and will schedule a video on this.
yes, that totally makes sense and that is what the theory says all over the internet :) but i have tried to test this in Windows 8.1 and regardless of the name i put for the servers it still connects which is weird to me.
And thanks for taking the time to reply our comments.
Another nice video Herman. A question please. Do I need to have both user and machine certificates on a client machine to be able to use "User or Computer authentication" under the client's 802.1x settings? Is it possible to have only machine certificate and still use EAP-PEAP and EAP-TLS without using EAP-MSCHAPv2?
For the setting User or Computer authentication you will need both a user and a computer certificate with EAP-TLS. If you prefer just computer authentication, you should configure your client for Computer authentication only. You cannot mix TLS and MSCHAPv2, for example TLS for computer certificated and MSCHAPv2 for user authentication in PEAP. If you do user & computer, the authentication method has to be the same.
Nice video, so if the cert is created by AD i can then just import the AD root CA into the clearpass cert trust list?
Yup, that's basically it.
excellent video for eap tls
Hi Herman, can you please help ? What if we want to authenticate both with username and if the computer is added to the domain ? Like username and computer authentication.
That is a client setting. You can configure your Windows client to do 'User / Computer authentication', what it will do then is first when connecting use the computer account and after that change to user authentication. The ClearPass built-in [Machine Authenticated] role will be applied for computers that have gone through a computer authentication. In the Enforcement stage you can use that (cached) role to put domain authenticated computers in different roles.
@@hermanrobers Thank you Herman for your reply. So we cannot avoid of not configuring anything on client side ? I mean doing all in clearpass itself and nothing on client side.
keep up the good work
Great... but what if we don't HAVE a bunch of premade certs? What then? Literally the most important part and doesnt say a word on it.
Herman's using a Windows Server Certificate Authority, he does show that at the beginning and that's assumed otherwise the video would need to be somewhat longer. I cover CA setup in the last 5 mins of this video: ruclips.net/video/IxXJKWqrA_M/видео.html