Security

Reply
Occasional Contributor I

OnBoard device identity check

Hello,

 

This is probably a silly question, but is there a secuirty risk with OnBoard where a malicious user can extract a client certificate from an already provisioned device and upload it into their device to gain access? If so what is the best way to guard against this?

 

Thank you

 

 

Re: OnBoard device identity check

Hi,

 

In the default EAP-TLS authentication method the "Authorization Required" setting is enabled. This means that the client must also pass user credentials to successfully authenticate.

tls aith auth.jpg

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: OnBoard device identity check

Onboard certificates are marked as non-exportable so it would be very
difficult to export the certificate.



You can layer on profiling conflict checks as well as potentially do a MAC
check against the MAC address embedded in the cert. Remember that the
certificate takes the place of only the password. You should leverage the
authorization phase to look at other information about the device and user.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: