Controllerless Networks

Hi,

I need to understand how i can configure my IAP infrastructure to implement the TLS certification.

The goal is "client have to verify the server certificate" and "the server have to verify the client certification" for booth certification the CA is the same.

Can you help me?

Best regards

Andrea

As long as your clients have the Root CA in the trusted root store, you shouldn't have to worry.  Unless you are going to do termination on the IAP.

ok.

I have a CLearPass and various IAP.

I need that the Client have access only if him have AD credential and a certificate signed by the customer CA on the device and the Client need to verify that the server have a certificate released by the same CA.

How I can implement it?

Best regards

Andrea:

All the work will need to be on the client side and the ClearPass side.  

Here is the minimum you need to be done:

- The IAP just needs to be setup with WPA2-Enterprise and Point to the ClearPass as the Radius Server. 

- The client needs a user certificate generated by a certificate authority (that CA can be the built-in onboard CA).  

- Clearpass needs to have a service configured with the EAP-TLS authentication method AND have the CA certificate that issued the client certificate in its trusted CA Store.

That is all you need.  There is no AD tie-in required or needed.  You can configure authorization on the EAP-TLS authentication method so that the username on the certificate is checked against AD to see the user account on the certificate still exists in AD, but that is optional.  You should work on getting the minimum done, first.