Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Terminate EAP on Controller to Auth Mobile Devices

This thread has been viewed 0 times

  • 1.  Terminate EAP on Controller to Auth Mobile Devices

    Posted Jun 06, 2013 02:47 PM

    Hello,

     

    Currently we have an Aruba deployment for mobile devices (various vendors) to connect to wireless infrastructure for mobile application testing.  The current security method in place is WPA2-PSK and mac-authentication on the local database.  I'd like to move away from that setup and move towards a L2 802.1x termination for better management.

     

    I understand that you can terminate 802.1x on the controller and we'd most likely do that with a publicly trusted certificate from Verisign.  We'd have both the CA and Server Cert (CSR generated by controller and signed by CA) loaded onto the controller.  My question is is it possible to issue individual certs to the mobile devices via the controller that are associated with the Verisign cert?  And in the situation that a mobile device is compromised can that particular certificate be revoked?  Is this possible to do on the controller?  I'm relatively new at this so I apologize in advance.

     

    Thanks,

     

    Brian



  • 2.  RE: Terminate EAP on Controller to Auth Mobile Devices
    Best Answer

    EMPLOYEE
    Posted Jun 06, 2013 03:22 PM

    While you can terminate the 802.1x traffic on the controller, you will need an EXTERNAL CA to issue certificates to clients as well as  an EXTERNAL OCSP responder to validate client certificate status. 



  • 3.  RE: Terminate EAP on Controller to Auth Mobile Devices

    Posted Jun 06, 2013 03:28 PM

    Ok, thanks for the information.  What do most people use for an external CA?



  • 4.  RE: Terminate EAP on Controller to Auth Mobile Devices

    EMPLOYEE
    Posted Jun 06, 2013 03:41 PM

     

    People honestly use what they have and what they are comfortable with.   Maintaining and managing a CA with certificate issuance and revocation is a specialty even in your IT organization and it involves a big learning curve.  

     

    Users who are Microsoft Shops use a Microsoft CA and try to work with that.  

     

    Many Aruba Customers opt for ClearPass Policy Manager with Onboard which is a Radius Server which can has a built-in CA that  allows you issue and revoke certificates and/or unique credentials to quite a few operating systems :  http://www.arubanetworks.com/products/clearpass/device-management/  If you have VMWARE, it is fairly straightforward to evaluate. If you PM me I can put you in touch with the right people to evaluate it.

     



  • 5.  RE: Terminate EAP on Controller to Auth Mobile Devices

    Posted Jun 06, 2013 03:53 PM

    We have actually been given an evaluation copy of Clearpass Policy Manager with Onboard from our sales rep but at this time it's hard to justify the expense for an additional radius server when we already have another vendor providing 802.1x authentication.  Unfortunately that vendor cannot issue / revoke certificates.  Maybe as our environment grows Onboard will become justifiable.  Thanks for the help though!