Hi all, I'm looking for a few major points regarding ClearPass as the issuing CA through OnBoard vs. using Microsoft PKI to distribute certificates to devices via group policy.
Please correct this if it's wrong:
(Assuming single SSID)
OnBoard CA - Requires user to authenticate via EAP-PEAP to SSID, perform PAP authentication on enrollment page, go through enrollment process and then reconnect using EAP-TLS. ClearPass manages the certificates and can validate it's own certificates as valid. Requires manual enrollment by each user.
Microsoft PKI - Requires ADCS with autoenrollment enabled, can push certificate to machines / user accounts via group policy. User does not need to touch anything, admin handles everything. Need to create custom auth method to verify OCSP from ADCS. Microsoft manages certificates and can validate their validity via the OCSP auth method. Need to add Root CA to trust list.
With Microsoft PKI, the wireless service only needs to permit EAP-TLS as an authentication method, as no EAP-PEAP would be required.
My thoughts are - Microsoft PKI involves less user interaction, but more admin interactions to set everything up properly. OnBoard CA requires users to do some work, but then provides a single place to manage and validate the certificates. Neither are better than the other, just depends on what the end customer would want.
Any additonal thoughts or suggestions or corrections to my logic?