Security

Reply
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Onboard with 802.1x enabled printer

understand that most people implement onboard for BYOD, can it be implemented for wired connection as well? For wireless, the client will be redirected to a portal and key in the credential and the cert will be pushed down to the device. Is it the same for wired connection? Is there any guide for this? 

 

How can I implement onboard for 802.1x enabled printer? what is the the procedure? Does the printer need to create a CSR? or simple just gen the client cert from onboard and upload to the printer?

 

Please advise. Thanks

Guru Elite
Posts: 7,863
Registered: ‎09-08-2010

Re: Onboard with 802.1x enabled printer

You would need to do the full csr process on ClearPass to generate the key pair then add it to the printer. 

In terms of wired onboard, you just need to enable the wired options in the provisioning profiles. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Guru Elite
Posts: 20,012
Registered: ‎03-29-2007

Re: Onboard with 802.1x enabled printer

The purpose of onboard is to automate delivery of a unique credential (most times an EAP-TLS certificate) to a device.  Since a printer does not typically have a human operating it, you would just generate an EAP-TLS certificate and upload it to the printer, and that can be done with your own CA.  In my experience, putting an EAP-TLS certificate on a printer is a very difficult thing to get done, and you should consult the manufacturer to see exactly what steps need to be done to make this successful.  You also have to consider what needs to be done when all the certificates on your printers expire...

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Onboard with 802.1x enabled printer

[ Edited ]

thanks for the quick reply. I am getting a bit confused.

 

 

So do I need to do the full CSR process on clearpass? Doing a full CSR means that I need the printer to do a CSR and to be signed by clearpass? Or no CSR is needed from the printer, just the CA (clearpass in my case) to generate the cert and import to the printer? And so in what situation would a CSR be needed?

 

Another question

My setup is such that my CPPM radius server is signed by the root CA, this caters for a group of users. I have another group of users to be onboarded by the clearpass CA. How can it be done? Where does the CA resides in clearpass? Is it in CPPM or Onboard? I assumed it's at Onboard? Means I need to create root CA in onboard and after that I need to download the root ca and let it be trusted in CPPM? Is my concept right? because I know that CPPM can only do one CSR right?  

 

 

Guru Elite
Posts: 7,863
Registered: ‎09-08-2010

Re: Onboard with 802.1x enabled printer

Most headless devices can't do a csr. You would do it in ClearPass and import the key pair to the pair. 

Not sure I'm following your second question. The radius server certificate does not have to be from the same CA as the client certificate. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Onboard with 802.1x enabled printer

[ Edited ]

i am right to say that I will just go into onboard settings and create a 'client' cert for the printer and upload to the printer? 

 

if so, that's the difference between create a 'client' cert in the CA (clearpass) and do a CSR? 

Guru Elite
Posts: 7,863
Registered: ‎09-08-2010

Re: Onboard with 802.1x enabled printer

Right. The difference is: when you generate the CSR on the device, the private key is also generated on the device. When you do it in Onboard through the GUI, the certificate and private key are generated and can be exported. 


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Onboard with 802.1x enabled printer

thanks. let me as a stupid question. so on the printer i will need to import 3 things? the client cert, the private key as well as the root ca which is the clearpass? 

Guru Elite
Posts: 7,863
Registered: ‎09-08-2010

Re: Onboard with 802.1x enabled printer

Correct


Thanks, 
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Onboard with 802.1x enabled printer

another question, shouldn't be it be the same as laptop user? as this is often pushed down by GPO, i have no visiblity. from laptop we only see user cert and root ca cert. where can we find the private key? having said that if i were to do manual import of cert to the laptop, i will need to import these 3 items too?

Search Airheads
Showing results for 
Search instead for 
Did you mean: