01-05-2017 08:20 AM - edited 01-05-2017 08:21 AM
We're updating the RADIUS cert for our CPPM cluster and the cert issuer is changing to an issuer that is not currently trusted by onboarded devices. Is there any way of manipulating the trust list remotely or perhaps redirecting customers via CP to re-onboard? Regarding the latter, I'd like to selectively redirect devices that haven't re-onboarded by a certain date. I can't figure out how to do that though.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
01-06-2017 03:09 AM
I believe you would need to get users to re-onboard in order to add the new trusted root certificate to the client.
To force users to re-onboard I would create a new boolean attribute with an initial value of FALSE. Then write an enforcement policy that checks whether this attribute is present or set to FALSE when a client authenticates. If it is not present or is FALSE, then send a new user role back to the controller which forces the client to re-onboard. Once the onboarding is complete, you set this attribute to TRUE so that the next time they authenticate they don't get the new user role.