Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎10-01-2009

Clearpass certificates

We currently authenticate Windows laptops against an NPS server using PEAP, with an internal windows CA.

 

We have purchased Clearpass and I wish to migrate radius authentication from NPS to CPPM. I would like to carry on using PEAP for our Windows laptops and continue to use our internal root CA. We are also going to be using OnBoard, we'd like to use ClearPass as the CA for OnBoard devices (IOS/Android).

 

Is it possible use the existing internal CA for PEAP for the windows laptops and ClearPass CA for Onboard?

 

thank you

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass certificates

Are you using PEAP-TLS or PEAP-MS CHAPv2 for the Windows devices?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎10-01-2009

Re: Clearpass certificates

PEAP-MS CHAPv2

 

thanks

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass certificates

[ Edited ]

You can absolutely use both EAP methods on the same ClearPass server and even the same SSID.

 

What you'd want to do is create a service just for EAP-PEAP to handle the username/password authentication. This will require uploading a new (or if you have the private key, the old from NPS) RADIUS server certificate to ClearPass. This will serve as the server's identity in the PEAP process.

 

In your PEAP service, you can check for Machine Authenticationm, FQDN, etc and then let everything else fall through to OnBoard registration.

 

Here's an example of the service rules to separate the two methods:

 

services-eap-peap.PNG

 

eap-tls-service.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 8
Registered: ‎10-01-2009

Re: Clearpass certificates

Perfect, thanks

Aruba Employee
Posts: 13
Registered: ‎03-31-2013

Re: Clearpass certificates

Yes this is possible. Just make sure to load the appropriate server certs on clearpass and you are good to go.

You can configure separate radius and web certs which should also make things easier for your use case
Search Airheads
Showing results for 
Search instead for 
Did you mean: