PEAP-TLS: Microsoft Supplicant configuration (Windows 7) and Aruba ClearPass



Similar documents
How to configure 802.1X authentication with a Windows XP or Vista supplicant

Seamless and Secure Access (SSA) Manual Configuration Guide for Windows 7

INFORMATION SYSTEMS SERVICE NETWORKS AND TELECOMMUNICATIONS SECTOR

How to Access Coast Wi-Fi

Windows PEAP-GTC Supplicant Plug-In

Seamless and Secure Access (SSA) Manual Configuration Guide for Windows Vista

Manually Configuring Windows Vista for Wireless PittNet

Configuring Eduroam in Windows Vista

ClickShare Network Integration

How to connect to the diamonds wireless network with Vista.

vwlan External RADIUS 802.1x Authentication

Connecting to UNOSECURE using Windows 7

Wireless Network Configuration Guide

How To Connect To A Wireless Network On Windows 7 (Windows 7) On A Pc Or Mac Or Ipad (Windows) On Pc Or Ipa (Windows 8) On Your Computer Or Mac (Windows). (Windows.7) On An

Windows 8 & RT Wireless Configuration For NCC Student Owned Laptops

Deploying and Configuring Polycom Phones in 802.1X Environments

User Guide for eduroam

Connecting to Secure Wireless (iitk-sec) on Fedora

Meeting CJIS Advanced Authentication

Connec ng to Northwest s WIFI with Windows 7

How To Set Up An Ipa 1X For Aaa On A Ipa 2.1X On A Network With Aaa (Ipa) On A Computer Or Ipa (Ipo) On An Ipo 2.0.1

Wireless LAN Client Configuration Guide for Windows Configuring 802.1X Authentication Client for Windows 7

Windows Vista and Windows 7 Wireless Configuration For NCC Faculty and Staff Owned Laptops

UCLan-Wireless for Windows 7

Eduroam wireless network Windows Vista

Configuring Windows 7 to Use Encrypted (WPA-E) Wireless Services a...

ICT DEPARTMENT. Windows 7. Wireless Authentication Procedures for Windows 7 & 8 Users For Linux and windows XP users visit ICT office

How to connect to VUWiFi

Connecting to the University Wireless Network

CLEARPASS ONGUARD CONFIGURATION GUIDE

Massey University Wireless Network Client Configuration Windows 7

Windows Vista: Connecting to the wireless network at Hood College

Network Access Security It's Broke, Now What? June 15, 2010

UCO_SECURE Wireless Connection Guide: Windows 8

Using Windows NPS as RADIUS in eduroam

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Digital Certificates. July 2011 Revision 1.0

Massey University Wireless Network - Client

Network Services One Washington Square, San Jose, CA

CruzNet Secure Set-Up Instructions for Windows Vista

SecureW2 Client for Windows User Guide. Version 3.1

Step-by-step Guide for Configuring Cisco ACS server as the Radius with an External Windows Database

Sample. Configuring the RADIUS Server Integrated with ProCurve Identity Driven Manager. Contents

Setting up SJUMobile (Wireless Internet Access for personal devices)

WIRELESS SETUP GUIDES FOR WINDOWS 8

Configuring WPA2 for Windows XP

WIRELESS SETUP FOR WINDOWS 7

Automatic Setup... 1 Manual Setup... 2 Installing the Wireless Certificates... 18

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

IT Quick Reference Guides Connecting to SU-Secure using Windows 8

Step by step guide for connecting PC to wired LAN at dormitories of University of Pardubice

WiFiIT. Simply Web.

ClearPass Release Notes

Configuring a Windows 2003 Server for IAS

ClearPass Policy Manager

Implementing Security for Wireless Networks

Cisco Secure ACS. By Igor Koudashev, Systems Engineer, Cisco Systems Australia 2006 Cisco Systems, Inc. All rights reserved.

ARUBA CLEARPASS POLICY MANAGER

Manual Configuration Instructions

Configuring Eduroam on Microsoft Windows Vista and 7 (all editions, 32 and 64 bits)

Wireless Setup for Windows 8

Mac OS X Secure Wireless Setup Guide

ClearPass Policy Manager 6.1

Connect to the Sheridan College / Gillette College - STUDENT Secure Wireless Network with the PEAP Client (Windows XP Pro)

x900 Switch Access Requestor

Accessing the Media General SSL VPN

Networking in the Colleges

Belnet Networking Conference 2013

Joe Davies Principal Writer Windows Server Documentation

Edith Cowan University Information Technology Services Centre

ClearPass Policy manager Cisco Switch Setup with CPPM. Technical Note

Dynamic VLAN assignment using RADIUS. Network Diagram

Installation Guides - Information required for connection to the Goldfields Institute s (GIT) Wireless Network

Residence Wired Connection Installation Manual

Configuring Wired 802.1x Authentication on Windows Server 2012

CONFIGURE THE BUCCANEER WIRELESS NETWORK USING WINDOWS HELP

Massey University Wireless Network - Client Configuration Windows XP (Service Pack 2)

UNIVERZITA KOMENSKÉHO V BRATISLAVE FAKULTA MATEMATIKY, FYZIKY A INFORMATIKY PRÍPRAVA ŠTÚDIA MATEMATIKY A INFORMATIKY NA FMFI UK V ANGLICKOM JAZYKU

ClearPass: Understanding BYOD and today s evolving network access security requirements

A Division of Cisco Systems, Inc. GHz g. Wireless-G. USB Network Adapter with RangeBooster. User Guide WIRELESS WUSB54GR. Model No.

6. After connecting reopen the wireless connections window. Right click on RamNet and select properties. Page 2 of 7

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE. Technical Note

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

Creating and Installing a Self Signed Certificate for PEAP/EAP-TLS Authentication

Setting up Windows XP for WPA Wireless Access (ISU-OIT-WPA)

How To Set Up Isu-Oit-Wpa On Windows 7 For Wireless Access (Isu- Oit- Wpa) On A Pc Or Mac Or Ipa (Windows 7) On An Ipa Or Ipac (Windows

Running eduroam on NPS with Windows 2008 R2 Enterprise

802.1x in the Enterprise Network

Microsoft Windows Server System White Paper

ResNet Connection for Windows 8

Configuring Windows 7 for eduroam at DkIT

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

From Release 8.0, IPv6 can also be used to configure the LDAP server on the controller.

IT user guide. Campus WiFi eduroam. September Information Services

Overview. Author: Seth Scardefield Updated 11/11/2013

Transcription:

PEAP-TLS: Microsoft Supplicant configuration (Windows 7) and Aruba ClearPass This document describes how to configure ClearPass and Windows 7 for PEAP-TLS (Microsoft PEAP with Client Certificate authentication). ClearPass Policy manager version 6.2.4 was used to test and create the procedure below, however earlier versions of ClearPass should work similar. PEAP-TLS uses EAP PEAP as the outer-tunnel (authentication session protection), and EAP-TLS as the inner tunnel (authentication). The use of PEAP as the outer-tunnel allows the use of Microsoft NAP for posture assessment. First, EAP-PEAP will be configured, later in this document that will be extended with basic Microsoft NAP posture. Certificates were enrolled from a Windows 2008R2 domain controller running the Microsoft Enterprise PKI (Certificate Services). Document version is 1.0-20140114. Please send updates for this document to hrobers at arubanetworks.com. ClearPass Configuration In the Service Authentication tab, select both TLS and PEAP authentication methods, select your AD as authentication source, and configure Strip usernames because the certificate contains the username as user@domain.tld, and AD recognizes only the user part.

The EAP-TLS OCSP is a Authentication method with OCSP configured: OCSP is optional and during testing you may want not to do OCSP and Authorization. Also optional, in the role-mapping you may use information from the certificate (like Subject-DN in the screenshot below); or from AD (like Authorization:dc-02.nl:Groups in the screenshot below):

Microsoft Supplicant configuration (Windows 7) Configure WPA2-Enterprise, and PEAP on the security tab of the network configuration: Go to the PEAP Settings. In the PEAP Settings configure server certificate validation (you may leave this turned off during testing), and select the Authentication method: Smartcard or Certificate: Note that Enforce Network Access Protection is an option here; it is not with EAP-TLS! In Configure configure the server certificate validation again, now for the inner TLS tunnel. The previous configuration was for the Outer PEAP tunnel. For client certificates enrolled from the AD Microsoft Enterprise CA to you computer, select Use a certificate on this computer.

Return to the Security tab top-level, and press Advanced settings. Here you can select if a user certificate should be used (User authentication), the computer certificate (Computer authentication) or your system should switch from a Computer certificate when no user is logged in to a User certificate if a user is logged in:

Note that when switching from Computer to User authentication, a short interruption of the network connectivity will occur. If you also switch VLANs (different VLAN for computer authentication than for user authentication), use the Enable single sign on for this network option. Safe value in most cases is to user only computer authentication, as that is always available; but that will not allow you to create user-based policies. First time connect On the first time connect: you are requested for more information, select your certificate. Only if you have more than one client certificate.

Validating the authentication in the ClearPass Access-Tracker The Access Tracker shows successful authentications if everything is configured correctly:

Adding Microsoft NAP to the Service One of the reasons to use PEAP-TLS is for Microsoft NAP. NAP requires PEAP as the outer-tunnel. This section shows how to create and validate a basic NAP policy. Note that Posture processing is part of ClearPass Onguard, and Onguard licensing applies. Each ClearPass appliance comes with a 25 device Enterprise license which makes OnGuard available for 25 devices without additional licensing. ClearPass Service configuration In the ClearPass service, enable Posture under the Service tab. The Posture tab should now appear: On the posture tab create a NAP service. Leave Posture Servers empty, as ClearPass has a Posture server built-in:

Windows 7 client configuration Enabling NAP on Windows 7 takes several steps: 1. NAP Agent is disabled by default. Turn it on in Network Services, then Network Access Protection Agent, switch it on and make is start Automatic. 2. Wired Zero Config (802.1x) is disabled by default, turn on (+ automatic start): Wired AutoConfig service; if you want to do NAP on wired (not WLAN) 3. WLAN Zero Config (802.1x) is enabled by default; leave it that way if you want NAP over WLAN. 4. Enable the NAP Client components Run napclcfg.msc Go to "Enforcement Clients" Enable "EAP Quarantine Enforcement Client" NAP only works on PEAP secured connections. Enable NAP in the Supplicant on the client under PEAP Settings:

Validation in the access-tracker The access-tracker should now show the posture status of the device:

Disable anti-virus on the client Now disable the antivirus to become non-compliant: Note the yellow exclamation sign in your network icon in the taskbar: something is wrong. as indication that

Infected in Access Tracker In the CPPM access-tracker, a new request came in:

Using posture status in you policy You can now use the Tips:Posture in your enforcement policy:

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information