Security

Reply
MVP
Posts: 2,924
Registered: ‎10-25-2011

EAP PEAP with Clearpass and CA

Hello everyone.

I got this client interested in clearpass but he does not own a CA.

 

I was wondering if anyone used the clearpass as CA without the onboard? i mean he just want the policy manager features... he is not interested in te onboard...

 

It would be more advisable that he get a certificate from Verisign or godaddy?

What would be the best recommendation for this situation

Client = has no CA

He is buying Cleapass but just for the policy manager so he will just have 25 enterprises license... in which he wants to use for the clearpass guest.

 

I was thinking that would be easy that he just buy the certificate from godaddy or something like it but well i have never used the Clearpass as CA.

 

Any advice regarding this?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: EAP PEAP with Clearpass and CA

Do they want to issue client certs or do you just need the server PEAP
cert?


Sent from my BlackBerry Z10

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 2,924
Registered: ‎10-25-2011

Re: EAP PEAP with Clearpass and CA

Just for the PEAP...

The things is that i would have to tell then that they need to buy a certifacate...

 

Actually i just did a deployment of EAP PEAP some months ago with windows nps... now they were looking what the clearpass policy manager can do and they want it for more granular rules.... and now well i was thinking that if i tell them that they need to buy another certificate that would not be really nice haha....thats why im asking... but if its the recommended option for this situation well ill do it

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: EAP PEAP with Clearpass and CA

If they don't want to buy a publicly signed server cert (which I highly
recommend they do), you can just create self-signed certs for the ClearPass
servers. You'll see a server cert option under Certificates and then the
option to create a self-signed cert.

In the self-signed scenario, there's no CA needed in the traditional sense
of the word. The CA in ClearPass is used for issuing client certificates.


Sent from my BlackBerry Z10

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 2,924
Registered: ‎10-25-2011

Re: EAP PEAP with Clearpass and CA

So i guess that when the user connect for the first time he will just install the truested root certification authority....right?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,924
Registered: ‎10-25-2011

Re: EAP PEAP with Clearpass and CA

why would you highly recommend buying one? any explanation? im dont know that much of certificates just the basics...

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: EAP PEAP with Clearpass and CA

They don't necessarily have to install it, they just need to accept it and
the trust will be saved in the connection profile.


Sent from my BlackBerry Z10

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: EAP PEAP with Clearpass and CA

A publicly signed certificate sets off much fewer "flags" in the client OS
when presented to the user because they most likely already have the
certificate chain installed in their key store.

In my experience, it's just a better experience for the end user.

Sent from my BlackBerry Z10

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 2,924
Registered: ‎10-25-2011

Re: EAP PEAP with Clearpass and CA

Do you mean that it might give you issues with some other OS like for example apple IOS or Androids?

Have you experience issues by not using a pulibc certificate? in a similar scenario?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: EAP PEAP with Clearpass and CA

It all comes down to trust when using PEAP.

 

Most devices now a days will ask you if you want to trust a new cert.

 

You do don't have to have a publicly signed cert in CPPM unless you are concerned about web SSL for onboarding or guest access. 

 

If you have already deployed NPS with that customer you can still keep that in place and have cppm be an Intermediate and have the NPS sign CPPMs cert

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: