Security

Reply
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Clearpass - EAP-PEAP, checking devices have the RootCA.

Hi,

 

I have a customer who wants just a basic EAP-PEAP for their byod, and for them it will be simply internet only after authenticating.

 

That is simple enough, but the problem is that they have an internal CA, so the devices won't have the RootCA installed.  I don't want devices to uncheck the 'validate server certificate' since that is an insecure config.  IT will probably install the RootCA for them, or we'll make available somewhere for them to do themselves.

 

I was wondering if there is some logic in Clearpass that I can build an enforcement rule to check if the device has installed and using the RootCA?

 

We'll be doing onboarding separately for non-domain devices that need access to the corporate network, so for those it is fine.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

No, you can't check if it's there. It's a client-level construct. From the perspective of the server, it doesn't care about the Root CA on the device. It's a client-level check. Sometimes you'll get "unknown CA" as an alert in access tracker which is reported from the client which usually indicates they don't have it or they're configured with the wrong CA.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

[ Edited ]

ok, got it.  I thought as much.

 

What about onboarding, but pushing a network config of EAP-PEAP?  Would that push the RootCA to the device during the process?  Would that consume an onboard licence, given a client cert has not actually been generated?

 

The only other time I've done this setup, the customer had a public cert, so the trust relationship was already there.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

Are you doing single SSID onboarding?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

Haven't quite decided on that yet.  It will likely be a separate ssid, or a link on the guest login page.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

This is really what QuickConnect is designed for.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

ok, that's fair enough.

 

Just so I'm clear, when you connect an iOS device to an EAP-PEAP connection, the error that pops up about the server not being trusted, once you accept, it is then trusted?  I mean if the device goes away and then there is a rogue ssid with rogue server, will it refuse to connect, or is it a case of the error pops up again?  Sorry, I'm not an Apple person.

 

Not sure about Android, or at least the versions I've tried, they just seem to accept any certificate without warning.

 

Anyhow, just to explain the implications to the customer and be able to offer Quickconnect if need be.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Guru Elite
Posts: 8,036
Registered: ‎09-08-2010

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

The box that pops up is not an error. It's a normal part of the PEAP process. Certificate trust with PEAP is per connection profile (per SSID). That dialog is simply saying, do you trust this server to send your credentials.

If you use QuickConnect, the profile is configured/installed in the background so they never see that box.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

got it.  Quickconnect sounds like the way forward.

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Aruba
Posts: 1,283
Registered: ‎08-29-2007

Re: Clearpass - EAP-PEAP, checking devices have the RootCA.

ok, so the Quickconnect subscription, is it per user or per device?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: