Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Onboard Registration Authority w/ ADCS SCEP

This thread has been viewed 10 times

  • 1.  ClearPass Onboard Registration Authority w/ ADCS SCEP

    Posted Dec 22, 2016 05:43 PM

    Looking at setting this up for a customer, has anyone set this up yet?

     

    Was introduced in ClearPass 6.6.2.

     

    Any advantages / disadvantages to the old way of ClearPass proxying the Client Cert request to AD web services?



  • 2.  RE: ClearPass Onboard Registration Authority w/ ADCS SCEP

    EMPLOYEE
    Posted Dec 22, 2016 05:48 PM
    The new way allows for ClearPass to only be "aware" of the cert, but not store it.

    Either way is valid.


  • 3.  RE: ClearPass Onboard Registration Authority w/ ADCS SCEP

    Posted Dec 22, 2016 05:55 PM

    Does Aruba have a recommended approach to BYOD certs?

    I've heard a few presentations where SE's recommend using the local Onboard CA only.

     

    Are there any plans to publish any sort of ADCS w/ SCEP integration guides like with the old method?



  • 4.  RE: ClearPass Onboard Registration Authority w/ ADCS SCEP

    EMPLOYEE
    Posted Dec 22, 2016 06:04 PM
    >From a purely security best practice (not necessarily Aruba), it's a good
    idea to maintain a complete trust boundary for BYODs. If you issue certs
    from your internal CA to your BYODs, you could inadvertently grant access to
    other services who are doing a basic client certificate check.



    We can add it to the list. Can't give an ETA right now though.