Security

Reply
Frequent Contributor I
Posts: 72
Registered: ‎12-07-2015

ClearPass and Onboard CA for provisioning IOS devices

Hi All, I have some confusion with the CA setup required for using OnBoard to provision IOS devices to an SSID. I have a wildcard cert from entrust, can I import it for the Root CA on ClearPass or do I need to purchase a new certificate and file the CSR ? The documentation is not clear. N
Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: ClearPass and Onboard CA for provisioning IOS devices

You should not use a wildcard certificate as the RADIUS / EAP certificate.
You can, however, use it as the web server certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: ClearPass and Onboard CA for provisioning IOS devices

You should not use a wildcard certificate as the RADIUS / EAP certificate.
You can, however, use it as the web server certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 447
Registered: ‎11-04-2011

Re: ClearPass and Onboard CA for provisioning IOS devices

You cannot use your public Entrust certificate as the OnBoard CA, as it is not allowed to sign other certificates, it can only be used to authenticate the ClearPass server to clients. And as Tim said, don't use a wildcard as your RADIUS certificate.

 

Regarding documentation, for selecting the right certificates I'd suggest that you check out the ClearPass Certificates 101 Technote (that can be found here: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx). There is quite some content about what choices you have to pick the right certificates in your Onboard scenario (you will likely end up initializing a new Onboard CA as root, which is quite easy to do)

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Frequent Contributor I
Posts: 72
Registered: ‎12-07-2015

Re: ClearPass and Onboard CA for provisioning IOS devices

Thanks, Root CA for byod devices, public cert for RADIUS works well. N
Search Airheads
Showing results for 
Search instead for 
Did you mean: