Security

understand that most people implement onboard for BYOD, can it be implemented for wired connection as well? For wireless, the client will be redirected to a portal and key in the credential and the cert will be pushed down to the device. Is it the same for wired connection? Is there any guide for this? 

 

How can I implement onboard for 802.1x enabled printer? what is the the procedure? Does the printer need to create a CSR? or simple just gen the client cert from onboard and upload to the printer?

 

Please advise. Thanks

You would need to do the full csr process on ClearPass to generate the key pair then add it to the printer. 

In terms of wired onboard, you just need to enable the wired options in the provisioning profiles. 


Thanks, 
Tim

The purpose of onboard is to automate delivery of a unique credential (most times an EAP-TLS certificate) to a device.  Since a printer does not typically have a human operating it, you would just generate an EAP-TLS certificate and upload it to the printer, and that can be done with your own CA.  In my experience, putting an EAP-TLS certificate on a printer is a very difficult thing to get done, and you should consult the manufacturer to see exactly what steps need to be done to make this successful.  You also have to consider what needs to be done when all the certificates on your printers expire...

 

thanks for the quick reply. I am getting a bit confused.

 

 

So do I need to do the full CSR process on clearpass? Doing a full CSR means that I need the printer to do a CSR and to be signed by clearpass? Or no CSR is needed from the printer, just the CA (clearpass in my case) to generate the cert and import to the printer? And so in what situation would a CSR be needed?

 

Another question

My setup is such that my CPPM radius server is signed by the root CA, this caters for a group of users. I have another group of users to be onboarded by the clearpass CA. How can it be done? Where does the CA resides in clearpass? Is it in CPPM or Onboard? I assumed it's at Onboard? Means I need to create root CA in onboard and after that I need to download the root ca and let it be trusted in CPPM? Is my concept right? because I know that CPPM can only do one CSR right?  

 

 

Most headless devices can't do a csr. You would do it in ClearPass and import the key pair to the pair. 

Not sure I'm following your second question. The radius server certificate does not have to be from the same CA as the client certificate. 


Thanks, 
Tim

i am right to say that I will just go into onboard settings and create a 'client' cert for the printer and upload to the printer? 

 

if so, that's the difference between create a 'client' cert in the CA (clearpass) and do a CSR? 

Right. The difference is: when you generate the CSR on the device, the private key is also generated on the device. When you do it in Onboard through the GUI, the certificate and private key are generated and can be exported. 


Thanks, 
Tim

thanks. let me as a stupid question. so on the printer i will need to import 3 things? the client cert, the private key as well as the root ca which is the clearpass? 

Correct


Thanks, 
Tim

another question, shouldn't be it be the same as laptop user? as this is often pushed down by GPO, i have no visiblity. from laptop we only see user cert and root ca cert. where can we find the private key? having said that if i were to do manual import of cert to the laptop, i will need to import these 3 items too?

For a laptop, you would be using the Onboard process for enrollment. For AD-joined Windows machines, yes, you can use group policy to issue certificates from your AD CA.

yup i do understand the onboard process for enrollment.. i mean if i want to do the manual way, it will be the same as printer where i need to import the 3 files to the laptop? not saying that i will do it this way, i mean just to understand the concept.

rayoflight,

 

That depends on what the printer manufacturer supports.  In reality, very few people attempt to put certificates on a headless device.  The printer manufacturers know this, so they do not put alot of effort into supporting or refining the process.

those printers that can do CSR works. I signed them and upload back the to the printer together with the root CA (clearpass onboard)

 

now i am trying to figure out how to generate the cert from onboard and upload back to the printer.

 

I followed the following guide but can't get it work.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/TUTORIAL-How-to-generate-TLS-certificates-for-Linux-using-the/td-p/149236

 

1) may i know why we upload the CPPM cert rather than the onboard CA cert? in the senerio of CSR by the printer, i actually uploaded the onboard CA cert and it works. I didn't upload the CPPM cert to the printer.

2) can I say that the CN field is not important if I do not tick authorization in TLS method?

3) I can't seem to upload the client cert to the printer, it gives me some error, but it doesn't give me error when I do the 'CSR' method.