Security

Hi All, I have some confusion with the CA setup required for using OnBoard to provision IOS devices to an SSID. I have a wildcard cert from entrust, can I import it for the Root CA on ClearPass or do I need to purchase a new certificate and file the CSR ? The documentation is not clear. N

You should not use a wildcard certificate as the RADIUS / EAP certificate.
You can, however, use it as the web server certificate.

You should not use a wildcard certificate as the RADIUS / EAP certificate.
You can, however, use it as the web server certificate.

You cannot use your public Entrust certificate as the OnBoard CA, as it is not allowed to sign other certificates, it can only be used to authenticate the ClearPass server to clients. And as Tim said, don't use a wildcard as your RADIUS certificate.

 

Regarding documentation, for selecting the right certificates I'd suggest that you check out the ClearPass Certificates 101 Technote (that can be found here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx). There is quite some content about what choices you have to pick the right certificates in your Onboard scenario (you will likely end up initializing a new Onboard CA as root, which is quite easy to do)

 

Thanks, Root CA for byod devices, public cert for RADIUS works well. N