Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Change default Certificat AP-205

This thread has been viewed 5 times

  • 1.  Change default Certificat AP-205

    Posted Feb 03, 2017 05:33 AM

    Hello,

     

    we bought two AP-205 to build our WLAN new from the ground. 

     

    Everything worked fine, i created two wifis, one for our employees and one for our customer. 

     

    The productiv network is secured with a WPA2-Enterprise Radius Server, that the employees have to log in with there AD-User Credentials. Works fine, but when they connect they get the message that the certificate not known is. 

     

     

    After that i added our Certificate-Server as CA, and now every client within our domain dont get the message any longer. Only devices like mobile phones still get the error. I think till this point everything work flawless. 

     

    But what is the best practise to get a certificate and a ca that every device trust, and is there a cheap option?

     

    thanks for your help.

     



  • 2.  RE: Change default Certificat AP-205

    EMPLOYEE
    Posted Feb 03, 2017 08:40 AM

    Is this an Instant AP?

     

    If yes, please use the Open SSL instructions here:  http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025 to generate a CSR to submit to a certificate authority.

     

    There are a number of low-cost certificate authorities, but we cannot endorse any here.  Maybe some of the users in the community can suggest their low-cost favorites.



  • 3.  RE: Change default Certificat AP-205

    EMPLOYEE
    Posted Feb 03, 2017 08:42 AM

    For the long answer to your question on what (type of) certificate to use for 802.1X/RADIUS, please check out the ClearPass Certificates 101 TechNote, which can be found here:https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

     

    In many cases, a certificate from your private CA is a good pick, and it has the 'issue' that clients that are not controlled by your company will get the certificate warnings. If you pick a public CA things may be better, but still many clients will prompt on first connect. As a rule of thumb, if you have mostly Domain connected computers, or you have another way to provision the SSID to devices (like with Mobile Device Management, or ClearPass Onboard), the private CA seems the best choice. If you have most uncontrolled clients (like students, BYOD), a public CA seems the better choice.

     

    What you see is fully expected.

     

    The mentioned Certificates 101 document goes into more depth on this topic.

     

    Herman