Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboarding CA Requirement

This thread has been viewed 2 times

  • 1.  Onboarding CA Requirement

    Posted Oct 02, 2013 10:17 AM

    I created a new CA in ClearPass, rather than using an intermediate CA or importing a CA.  For a while I was getting warnings in Guest, letting me know that the recommendation was to use a 3rd party certficate that would be trusted by iOS.  I clicked the 'how to fix this' button, and it said that provisioning or authentication may fail by using a self-signed CA.  Also, I think it said it wouldn't work for a cluster environment, which I have.

     

    I want to understand the requirement/recommendation for using a 3rd party cert for onboarding if there are any.

    Is it okay to make ClearPass Root CA in a cluster environment?

    Am I losing anything by not importing a Root CA or Intermdiate CA?



  • 2.  RE: Onboarding CA Requirement

    EMPLOYEE
    Posted Oct 02, 2013 06:16 PM

    The issue is that if the IOS device doesn't trust the SSL cert presented by the web browser then Onboarding will fail. You will need a publicly signed cert for the CPPM side. Or you have to push out all the certs manually to each device.

     

    For example in my lab I have a publicly signed cert in CPPM and in my onboarding I use a selfsigned or I'm using an itermedate based on my AD.

     

    rootca2.png

     

    rootca.png