Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Onboarding CA Requirement

I created a new CA in ClearPass, rather than using an intermediate CA or importing a CA.  For a while I was getting warnings in Guest, letting me know that the recommendation was to use a 3rd party certficate that would be trusted by iOS.  I clicked the 'how to fix this' button, and it said that provisioning or authentication may fail by using a self-signed CA.  Also, I think it said it wouldn't work for a cluster environment, which I have.

 

I want to understand the requirement/recommendation for using a 3rd party cert for onboarding if there are any.

Is it okay to make ClearPass Root CA in a cluster environment?

Am I losing anything by not importing a Root CA or Intermdiate CA?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Onboarding CA Requirement

The issue is that if the IOS device doesn't trust the SSL cert presented by the web browser then Onboarding will fail. You will need a publicly signed cert for the CPPM side. Or you have to push out all the certs manually to each device.

 

For example in my lab I have a publicly signed cert in CPPM and in my onboarding I use a selfsigned or I'm using an itermedate based on my AD.

 

rootca2.png

 

rootca.png

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: