Security

Reply
LL
Occasional Contributor I
Posts: 8
Registered: ‎05-29-2015

EAP-TLS Authentication against multiple domains

Hi folks,

 

I'm working with a customer at the moment who is merging two separate networks with separate Active Directory infrastructures and legacy Aruba networks. We are deploying a new centralised infrastructure with CPPM for authentication. However both AD domains are remaining separate with no trust relationship configured, and completely separate PKIs. At the moment, clients in both networks are using EAP-TLS with certificate auto-enrollment configured. Moving forward, we would like to continue with EAP-TLS if possible, but EAP-PEAP is a fallback option.

 

The obvious solution is to push out the self-signed CPPM server cert to all the clients and use EAP-PEAP. Is there a relatively straightforward way of setting this up which would still allow us to use EAP-TLS and certificate auto-enrollment? Could CPPM be the root CA, trusted by the PKI in each domain, for example?

Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: EAP-TLS Authentication against multiple domains

I would first read Danny Jump's Certificates 101 on the page here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

 

Here is what needs to happen on a basic level:

 

- CPPM needs to have the CA certificates that issued EAP-TLS certificates for both domains in its trusted cert list

- You probably need to turn of OCSP in your EAP-TLS authentication method in ClearPass, unless the OCSP URL is properly embedded in both certificates and those servers are; reachable by CPPM.

- Client devices in both domains need to have the CPPM server certificate in their trust list.

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Guru Elite
Posts: 20,018
Registered: ‎03-29-2007

Re: EAP-TLS Authentication against multiple domains

EDIT: CPPM does not need to be the root CA of both domains; it just needs to have the CA of each domain in CPPM's trusted server list, and the clients need to have CPPM's server certificate in their trust list.  You should be able to do EAP-TLS for both domains using CPPM via that strategy.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
LL
Occasional Contributor I
Posts: 8
Registered: ‎05-29-2015

Re: EAP-TLS Authentication against multiple domains

Thanks Colin - I'll have another read through the Certificates 101 guide and see what we can do.

Search Airheads
Showing results for 
Search instead for 
Did you mean: