Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard with Public Certificate

This thread has been viewed 4 times

  • 1.  Onboard with Public Certificate

    Posted May 17, 2016 06:20 AM

    Hi All,

     

    This is my first experience deploying Clearpass Onboard. I have a setup where Clearpass is integrated with Aruba controller and it's Onboard module generate client certificate for EAP-TLS. The client device are iPads.

    We want to use public cert and run Clearpass CA as Intermediate CA. We created a new Intermediate CA and generated CSR to be signed.

    Am I missing something for this scenario?

     



  • 2.  RE: Onboard with Public Certificate
    Best Answer

    EMPLOYEE
    Posted May 18, 2016 03:28 AM

    That will not work, no public CA will sign your intermediate as that effectively breaks the SSL trust model.

     

    Please read the document "CPPM - Certificates 101 Technote V1.2" from:

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

     

    In short: the certificates that ClearPass Onboard issues as client certificates do not need any public trust as these are only used to validate the client on the network.

     

    So use the built-in CA for issueing the client certificates, use a public trusted CA for your HTTPS Server certificate on the ClearPass server and the used RADIUS certificate depends on circumstances and can be either a public or private certificate.



  • 3.  RE: Onboard with Public Certificate

    Posted May 18, 2016 11:32 PM

    Thank you Herman. I managed to figured it out in a hard way :-)