Security

Reply
Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Deleting expired client certs

Weve just started being notified of clients not connecting the the byod ssid, and have learnt its due to the fact that their certs have expired.  It appears that the email notification mechanism for re-provisioniing may not have been configured conrrectly.   

 

The only way I have found to rememdy this is to clear the device from CP, and also get the user to remove the installed CP policies from their device, then re-onboard.  

 

I was hoping I could somehow filter all of the expired certs and mass delete them, but cant find a way to do this, so imagine Im now going to have to do each one manually, and also notifiy each user of what they need to do.

 

Ive been advised that we can set the cert deletion time down to 1 week, but I fail to see how this helps... surely you want to delete it as soon as its expired?

 

What is the "normal" process for a user who's cert is expring?  Do they still ahve to manually remove the installed CP policies, or does the re-provisioning process do this bit anyway? 

 

Not sure of the most efficient way to clear up the expired certs and get users to reproviosn and suspect I am going to have to do each one by one.

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Deleting expired client certs

If a users certificate has expired they will fail to connect to the 802.1X service.

However, if they connect back to the provisioning service they should get the login box as normal and should see a message similar to:

 

Your certificate has been removed or has expired. Please re-provision your device using the form below.

 

On this basis you just need to notify users to re-onboard. Could you not just send a blanket email??

 

For info, in 6.5 the above message is customisable under the Instructions and Messages section so could you make this more meaningful if required:

 

Capture.JPG

 

With regards to clearing up old certificates, just set the timer down to 1 week and wait for them to be deleted. Expired certificates are next to useless and unless you are constantly in breach of your license I can't imagine it makes a lot of difference waiting 1 week.

David
ACDX #98 | ACMP | ACCP
Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: Deleting expired client certs

Hi unfortunatley both services operate on the same SSID and just controlled via role switch, so once they have expired, they cant do anything!

 

For some reasons email notifications werent being sent out, but this has now been resolved, however, following the eamil instructions and clicking the reprovision link, the user was presented with infor telling them they had to manually remove profiles from their device before they reprovisioned. 

 

This doesnt seem very transparant, or seamless... is this normal?  We had hoped that users wouldnt really need to do anything at all, the process would be automatic.  If they have to manuall re-provision, we had hoped it would be the same as their initial onboard, but they now seem to have to remove profiles from their device before they can proceed...

 

 

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Deleting expired client certs

You don't need to remove the old profiles from the device. You can just go through the provisioning process and the new profile will overwrite the old profile.

 

I am not sure what message you are referring to. If none of the messages have been customised then the user should get one of the following:

 

For expired devices:

Your certificate has been removed or has expired. Please re-provision your device using the form below.

 

For devices which haven't expired but are being re-provisioned:

Your device is already provisioned. You should go to your Wi-Fi settings and connect to SSID: <SSID>

If you have deleted your profile you can reprovision your device here

 

These can be amended under the Instructions and Messages section of the provisioning settings under Onboard.

David
ACDX #98 | ACMP | ACCP
Guru Elite
Posts: 7,828
Registered: ‎09-08-2010

Re: Deleting expired client certs

If you've ever change the profile identifier in the configuration in Onboard, the profile will not overwrite and you may run into errors requiring you to remove the old profile. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: