Security

Reply
New Contributor
Posts: 3
Registered: ‎06-09-2016

Deploying additional certificates

I am trying to determine if I can do the following using a combination of CPPM, QuickConnect and/or OnBoard.

 

We need to deploy a number of third party certificates to device as part of the onboarding process to a WiFi Network. These certificates are needed for our web filtering product to be able to properly decrypt web traffic that uses SSL.

 

We have used QuickConnect before to enable onboarding and deployment of the certificates that are required for the WiFi SSID itself, but in this case these certificates are for our separate web filtering product (SmoothWALL).

Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Deploying additional certificates

You could add them in as trusted certs, but just be aware that they will be
added to the trust list for the 802.1X profile.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎06-09-2016

Re: Deploying additional certificates

Thanks for your reply - sorry just to be clear are you talking about using QuickConnect or using OnBoard?

 

Also what is the downside of them being added to the trust list for the 802.1X profile?

 

We just need a method to "force" the certificate onto BYOD type devices to ensure the web filter decryption works seamlessly. At the moment without the certificate the end client gets a trust warning and on a lot of smart phones that effectively makes it looks like they have no internet conneciton, especially to less savy end users. The devices are not on our domain and also not managed by an MDM so searching for other solutions.

Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Deploying additional certificates

It should work for both. You'll need to test it out though.



The downside is you're telling the client that the firewall's certificate is
valid for EAP-based authentication. Not a huge deal, but not ideal either.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 8,185
Registered: ‎09-08-2010

Re: Deploying additional certificates

It should work for both. You'll need to test it out though.



The downside is you're telling the client that the firewall's certificate is
valid for EAP-based authentication. Not a huge deal, but not ideal either.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
New Contributor
Posts: 3
Registered: ‎06-09-2016

Re: Deploying additional certificates

Ah ok. I think that is an acceptable downside based on the fact I can't think of another way of getting around our problem!

 

I would be interested to know if anyone else has used any part of ClearPass to get around the same type of issue. Publishing certificates to devices that are not on a domain or MDM managed... Cheers.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: