Security

Reply

ClearPass Onboard CA vs Microsoft PKI

Hi all, I'm looking for a few major points regarding ClearPass as the issuing CA through OnBoard vs. using Microsoft PKI to distribute certificates to devices via group policy.

 

Please correct this if it's wrong:

 

(Assuming single SSID)

 

OnBoard CA - Requires user to authenticate via EAP-PEAP to SSID, perform PAP authentication on enrollment page, go through enrollment process and then reconnect using EAP-TLS. ClearPass manages the certificates and can validate it's own certificates as valid. Requires manual enrollment by each user.

 

Microsoft PKI - Requires ADCS with autoenrollment enabled, can push certificate to machines / user accounts via group policy. User does not need to touch anything, admin handles everything. Need to create custom auth method to verify OCSP from ADCS. Microsoft manages certificates and can validate their validity via the OCSP auth method. Need to add Root CA to trust list.

 

With Microsoft PKI, the wireless service only needs to permit EAP-TLS as an authentication method, as no EAP-PEAP would be required.

 

My thoughts are - Microsoft PKI involves less user interaction, but more admin interactions to set everything up properly. OnBoard CA requires users to do some work, but then provides a single place to manage and validate the certificates. Neither are better than the other, just depends on what the end customer would want. 

 

Any additonal thoughts or suggestions or corrections to my logic?

 

 



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: ClearPass Onboard CA vs Microsoft PKI

1) You should never use single SSID Onboard.

 

2) ADCS + Onboard integration is only recommended if required by security policy. It's always a good practice to separate trust domains betwen corporate auto-issuance and self-enrollment

 

3) ClearPass does not replace certificate enrollment for AD-joined managed Windows devices. That should still be done automatically via GPO and ADCS.

 

Assisted Onboarding is not designed for corporate assets.

 

Other platforms managed via EMM should be configured to use ClearPass as the CA, but use autoenrollment via SCEP or EST.

 


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Onboard CA vs Microsoft PKI

That's really good info - I know OnBoard was originally designed for onboarding personal devices onto corporate SSIDs.

 

So to shorten the answer, any domain-joined microsoft PCs should be issued certificates from the Microsoft PKI environment using ADCS and ClearPass should be used to simply validate the certificate information and validity?



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: ClearPass Onboard CA vs Microsoft PKI

Just to clarify. Onboard is the entire CA functionality. What I call Assisted Onboard is the wizard like interface for end user self-enrollment.

Onboard CAs can (and should be) used for non-Windows corporate assets like macOS and smartphones tha

Best practice is to create a managed device CA and a personal/BYOD CA on top of any other infrastructure CAs (NADs, RadSec, etc).


RE: domain-joined Windows, yes.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: