06-12-2014 01:52 AM
A customer who is a hardware manufacturer plan to deploy certificates to hardware they build to be able to authenticate the device when connecting to a 802.1x network.
Can ClearPass do PKI based authentication if the PKI is a third party CA and the device is a custom device trying to authenticate to the network by providing a certificate as credential?
Jonas Erlund Hammarbäck
Solved! Go to Solution.
06-12-2014 03:13 AM
06-12-2014 03:24 AM
Adding the root certificate shouldn't be an issue and I suppose the customer will have certificates for client authentication. Otherwise I need to advice them to implement this.
How to I configure the service to handle this logon request? There are no option to use "PKI" or "PKCS11" as authentication source.
06-12-2014 04:51 AM - edited 06-12-2014 04:54 AM
Couple of things.
Is your CA setup to do OCSP or will you be using a CRL? For all 3 scenarios below, use the Endpoint Repository as your authentication source.
- If it's a CRL, you will need to add the CRL URL under Administration > Certificates > Certificate Revocation Lists. Then use the [EAP-TLS] authentication method.
- If it's OCSP and you want to use the OCSP URL that is provide in the certificate, create a new EAP-TLS method and choose Required under "Verify Certificate using OCSP"
- If you want to override the OCSP URL, you'll want to create a new EAP-TLS method and use the "Override OCSP URL from Client". Then enter your OCSP URL.
06-12-2014 05:16 AM
At the moment I don't have any information if the PKI will have CRL or OCSP. The PKI solution will be implemented by the customer.
If I use of Endpoint Repository the authenication source, does that require all devices to be imported to the Endpoint Repository to be able to successfully authenticate?
I don't know the number of devices the customer manufacture per year but assume between 100 000 and 1 000 000 devices.
The device will only use this authentication when the end customer brings the device to an authorized service workshop and the device connects to the diagnostic tools at the workshop.
Thus I don't think it would be possible to prepopulate the Endpoint Repository with all devices.
So my question. Will the authentication work even though the device isn't in the Endoint Repository?
06-12-2014 05:28 AM
06-12-2014 05:32 AM