Security

Reply
MVP
Posts: 286
Registered: ‎11-04-2008

EAP-TLS clients with multiple certificates

 

Sorry if this has been answered somewhere, I just couldn’t find it.  It seems like a typical issue with BYOD.

Our secured WiFi authentication methods is EAP-TLS only.  If a user’s BYOD wants to access the secured Network, she must be OnBoarded, accepted, and installed domain certificate chain.  A typical OnBoarding process.

Problem: user already onboarded her laptop with her school, therefore another certificate resides in her personal certificate store.  When she connects to my secured network, her laptop only presents her school certificate, thus fails the authentication.

 

Question: Can CPPM Ignore or skip the unknown certificate(s)? or at least check all certificates to find the match? 

 

Regards,

 

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 8,052
Registered: ‎09-08-2010

Re: EAP-TLS clients with multiple certificates

Unfortunately no. This is a client side issue. ClearPass can only process
what is presented by the client.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 20,426
Registered: ‎03-29-2007

Re: EAP-TLS clients with multiple certificates

It all depends on the client;

 

In Windows you have "Use simple certificate selection" which could give the user a list of certificates that they can try, but again, only one can be selected and sent to the radius server.  https://social.technet.microsoft.com/Forums/en-US/5e56306a-d963-44df-9e3e-91b18b11c300/what-is-the-exact-criterion-for-use-simple-certificate-selection-recommended-checkbox-?forum=w7itpronetworking

 

On moble platforms, it is much more restricted where you have to setup a WLAN and a certificate that will be used for that WLAN at the same time.  This all of course depends on the mobile platform.  There is no single solution across all platforms that will deal with this.  Better to onboard with unique username and password to sidestep that issue.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 286
Registered: ‎11-04-2008

Re: EAP-TLS clients with multiple certificates

Thank you both Tim and Colin for your responses. I am going to accept Colin's solution for now, at least it works for Windows. We will deal with MacBook at another time.

All the other devices can use guest as they only need to access to the Internet.

 

Regards.

~Trinh Nguyen~
Boys Town
MVP
Posts: 286
Registered: ‎11-04-2008

Re: EAP-TLS clients with multiple certificates

Tested and found it works in Windows 8 and 10:

Capture.PNG

Capture2.JPG

When you click "Connect using a certificate" it will present a list of personal certificate for you to pick.

 

 

~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: