09-22-2015 12:31 PM
I am trying to find a way to authenticate mobile devices using MAB and EAP-TLS (certs) only. These devices will connect to a Aruba SSID and will be staged under a Airwatch MDM. Currently our Airwatch MDM is ONLY used for staging. Airwatch will be pushing the Windows CA Cert to the mobile devices.
What is the best way to have the mobile devices use the Windows CA cert to authenticate with CPPM? Do I setup a service within CPPM that uses "EAP-TLS with OCSP Enabled"? Do I use the "Certificate Comparison" and use the OCSP URL to the Windows ADCS server? Do I import the Windows root CA into CPPM's trusted lists?
I do know how to use MAB but my main issue is the certificate authentication's piece.
09-22-2015 12:34 PM
If you just want to check for a valid certificate, you can just do EAP-TLS
with no authorization or validity checks.
09-22-2015 01:16 PM
09-23-2015 06:24 AM
I have 2 more questions...
- If there were any licensing issues with using Onboard in this matter, since CPPM has a 50 user Enterprise license, and to do what is listed in the article we will use the Onboard application component of the enterprise lic. Does CPPM care since Onboard/CPPM is not the server actually issuing the CERTS, but AD. Thus will there be an issue after 50 mobile devices connect to the ******** SSID ? Does that 50 user lic matter in this implementation ?
- What would the Authentication source be, for the authentication service that you will have to create…..”Active directory” or CPPM/Onboard ? The document seems to imply AD/ADCS, I think AD/ADCS as well as. Or do I just leave it blank?
09-23-2015 06:27 AM - edited 09-23-2015 06:35 AM
1) If you are not using Onboard to get the certificate on the devices, then no Onboard licenses or enterprise licenses are consumed. Only base authentication licenses.
If you are using Onboard to issue certificates on behalf of AD, then Onboard/Enteprise licensing applies
2) You would use your Active Directory auth source.