Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Only MAB and Certificate based authentication on CPPM

This thread has been viewed 2 times

  • 1.  Only MAB and Certificate based authentication on CPPM

    Posted Sep 22, 2015 03:32 PM

    I am trying to find a way to authenticate mobile devices using MAB and EAP-TLS (certs) only.  These devices will connect to a Aruba SSID and will be staged under a Airwatch MDM.  Currently our Airwatch MDM is ONLY used for staging.  Airwatch will be pushing the Windows CA Cert to the mobile devices.

     

    What is the best way to have the mobile devices use the Windows CA cert to authenticate with CPPM?  Do I setup a service within CPPM that uses "EAP-TLS with OCSP Enabled"?  Do I use the "Certificate Comparison" and use the OCSP URL to the Windows ADCS server?  Do I import the Windows root CA into CPPM's trusted lists?

     

    I do know how to use MAB but my main issue is the certificate authentication's piece. 



  • 2.  RE: Only MAB and Certificate based authentication on CPPM

    EMPLOYEE
    Posted Sep 22, 2015 03:34 PM
    Does you have OCSP configured in your AD certificate authority?



    If you just want to check for a valid certificate, you can just do EAP-TLS
    with no authorization or validity checks.


  • 3.  RE: Only MAB and Certificate based authentication on CPPM

    Posted Sep 22, 2015 03:57 PM

    I will check to see if the AD cert is OCSP enabled cert.  Is OCSP used to just check the Cert is revoked?  Thank so much for your help.



  • 4.  RE: Only MAB and Certificate based authentication on CPPM

    EMPLOYEE
    Posted Sep 22, 2015 04:16 PM
    Yes correct. If you are not using OCSP, you can use CRLs instead. 


    Thanks, 
    Tim


  • 5.  RE: Only MAB and Certificate based authentication on CPPM

    Posted Sep 23, 2015 09:25 AM

    I have 2 more questions...

     

    1. If there were any licensing issues with using Onboard in this matter, since CPPM has a 50 user Enterprise license, and to do what is listed in the article we will use the Onboard application component of the enterprise lic. Does CPPM care since Onboard/CPPM is not the server actually issuing the CERTS, but AD. Thus will there be an issue after 50 mobile devices connect to the ******** SSID ? Does that 50 user lic matter in this implementation ?
    2. What would the Authentication source be, for the authentication service that you will have to create…..”Active directory” or CPPM/Onboard ? The document seems to imply AD/ADCS, I think AD/ADCS as well as.  Or do I just leave it blank?


  • 6.  RE: Only MAB and Certificate based authentication on CPPM

    EMPLOYEE
    Posted Sep 23, 2015 09:28 AM

    1) If you are not using Onboard to get the certificate on the devices, then no Onboard licenses or enterprise licenses are consumed. Only base authentication licenses.

     

    If you are using Onboard to issue certificates on behalf of AD, then Onboard/Enteprise licensing applies

     

    2) You would use your Active Directory auth source.