Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎09-22-2015

Only MAB and Certificate based authentication on CPPM

I am trying to find a way to authenticate mobile devices using MAB and EAP-TLS (certs) only.  These devices will connect to a Aruba SSID and will be staged under a Airwatch MDM.  Currently our Airwatch MDM is ONLY used for staging.  Airwatch will be pushing the Windows CA Cert to the mobile devices.

 

What is the best way to have the mobile devices use the Windows CA cert to authenticate with CPPM?  Do I setup a service within CPPM that uses "EAP-TLS with OCSP Enabled"?  Do I use the "Certificate Comparison" and use the OCSP URL to the Windows ADCS server?  Do I import the Windows root CA into CPPM's trusted lists?

 

I do know how to use MAB but my main issue is the certificate authentication's piece. 

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Only MAB and Certificate based authentication on CPPM

Does you have OCSP configured in your AD certificate authority?



If you just want to check for a valid certificate, you can just do EAP-TLS
with no authorization or validity checks.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-22-2015

Re: Only MAB and Certificate based authentication on CPPM

I will check to see if the AD cert is OCSP enabled cert.  Is OCSP used to just check the Cert is revoked?  Thank so much for your help.

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Only MAB and Certificate based authentication on CPPM

Yes correct. If you are not using OCSP, you can use CRLs instead. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 6
Registered: ‎09-22-2015

Re: Only MAB and Certificate based authentication on CPPM

I have 2 more questions...

 

  1. If there were any licensing issues with using Onboard in this matter, since CPPM has a 50 user Enterprise license, and to do what is listed in the article we will use the Onboard application component of the enterprise lic. Does CPPM care since Onboard/CPPM is not the server actually issuing the CERTS, but AD. Thus will there be an issue after 50 mobile devices connect to the ******** SSID ? Does that 50 user lic matter in this implementation ?
  2. What would the Authentication source be, for the authentication service that you will have to create…..”Active directory” or CPPM/Onboard ? The document seems to imply AD/ADCS, I think AD/ADCS as well as.  Or do I just leave it blank?
Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Only MAB and Certificate based authentication on CPPM

[ Edited ]

1) If you are not using Onboard to get the certificate on the devices, then no Onboard licenses or enterprise licenses are consumed. Only base authentication licenses.

 

If you are using Onboard to issue certificates on behalf of AD, then Onboard/Enteprise licensing applies

 

2) You would use your Active Directory auth source.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: