Security

Reply
Occasional Contributor II

Terminating EAP-TLS on ClearPass

Dear Community,

 

1. is it possible to terminate EAP-TLS  based on only the CA certificate without a connection to the radius/ca server that produced the client certificate ..?

 

** if CA certificate is enough for authentication how can we update the

CPPM on revoked certificate ..?

 

2. can we use the ClearPass to create client certificates for the devices?

 

* it would be nice to get a related best practice documents / tutorials.. 

 

 

Thanks a lot!

Shay

Guru Elite

Re: terminating EAP-TLS on clearpass

1) Yes, but not having revocation checks really defeats the point

2) Yes, the ClearPass Onboard module is for issuing certificates to unmanaged devices.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: terminating EAP-TLS on clearpass

Hi Cappalli , 

 

thank you for your quick response :)

 

so is there any way to manually load updates with the revoked certificates?

 

 

Guru Elite

Re: terminating EAP-TLS on clearpass

You need to use your CA's OCSP responder (or you can use the CA's CRL, but OCSP is recommended).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: terminating EAP-TLS on clearpass

by saying "need to use your CA's OCSP responder" 

how can i use it if i cant configure any connectivity to the ca/radius .. ? 

is it possible to use the ClearPass as OCSP responder by loading manually updates from the CA server to the ClearPass server ? 

 

Guru Elite

Re: terminating EAP-TLS on clearpass

No. ClearPass is an OCSP responder for it's own CAs only.

 

ClearPass would need to communicate with your CA's OCSP responder or CRL endpoint.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: