on 04-07-2016 12:02 PM
I'm curious to know if any other higher ed customers are using ClearPass to implement EAP-TLS. For those that have, I'm trying to evaluate pros/cons of using ClearPass as the CA or trying to use SCEP and leverage our existing AD as the CA.
I appreciate your feedback!
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
on 04-24-2016 04:27 AM
Under the assumption that you are refering to Onboarding, some ideas:
- If you have an existing CA, and the tooling to enroll/provision/manage the certificates to/on clients, that might be your first choice. Think of scenario's like Active Directory connected Windows Clients, Mobile devices that are under Mobile Device Management (MDM/EMM). You have control over those clients, and typically can automate the certificate actions without user intervention.
- If you do not control your clients, which is probably the case in many education environments, you can use ClearPass Onboard to let users request, and provision their own certificates; and you can use either the ClearPass internal CA (easiest, isolated) or an existing Microsoft CA (AD integrated) during Onboarding. If you have other mechanisms to distribute the certificates, that may be an option as well, however ClearPass Onboard specifically solves the management and end-user part of the process pretty well in a way that you don't need to have your users run through pages long instructions to get on the network. It is all pretty automated.
Then, there is another question to be answered, and that is to use the Onboard CA or an other CA. If you need to create an 'enterprise trust', and want to use client certificates not only for authenticating to the network, but as well for authenticating to all kinds of other (web) applications, a full blown CA may be your better choice. A full blown CA comes with stricter enrollment procedures, as the client certificate does not only provide access to the wireless network, but potentially to all your resources and applications on the network. You'd better be sure that you only give out such a cert to the right person. If you don't have such a broad trust requirement, the Onboard CA is your better choice. Certificates issued by the ClearPass Onboard CA, only are valid to authenitcate to the wireless. So no (less) need to do very strict control on the certificate issue process, much easier to implement, reliable, and already available out of the box. My personal preference is to use the built-in ClearPass Onboard CA whenever possible, and avoid any links to corporate CAs for the Onboarding proces.
As a summary: if you have automation tools in place for controlled systems, use those. If you do not control your endpoints, then only if you have an existing PKI/CA strategy in place, and you have a requirement to extend infrastructure that to your onboarding process, only then use an external CA.
These are generic points; so it is always good to have your specific situation validated by an expert. Certificate things can become complex, another reason to reduce complexity as much as you can.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).