Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

This thread has been viewed 0 times

  • 1.  With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

    Posted Apr 27, 2016 04:38 AM

    It's not entirely clear, with OnBoard, which OSs (if any) don't receive client-side x.509 certs as their 'unique device credentials'?  Pretty sure iOS does - and Android these days, but what about others - and is it OS version dependent too - I know this is likely to be the case with Windows (which couldn't really be described as one OS anyway).

    As a bit of an aside,  what gets installed on the client device, in order that it trusts the Cert that ClearPass itself uses, with EAP mutual authentication, to verify the network's identity..?



  • 2.  RE: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

    EMPLOYEE
    Posted Apr 27, 2016 06:03 AM
    All operating systems still in support from the manufacturer use certificates. Note that some platforms require a manual onboard. 

    In terms of cert trust, that is configured during the Onboard process. 


  • 3.  RE: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

    Posted Apr 27, 2016 06:11 AM

    Thanks Tim -  sounds like the phrase 'unique client credentials' is used in the docs, purely to cover older OS versions then...   I take it too that manually installing client certs, when using generic web-provisioning, can vary wildy, in terms of how easy or hard (or even possible) it is, dependent on the client's OS..?

     

    On my second Q - Does the client's trust' for the ClearPass certificate come from actually installing ClearPass's CA cert itself on the device (presumably with just its public key) - or is there just some kind of record of what the cert 'looks like', which is configured by ClearPass as part of OnBoard provisioning ?   (Forgive me, I realise this is just a fundamental ignorance, on my part, as to how clients trust CAs, within PKI)



  • 4.  RE: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?
    Best Answer

    EMPLOYEE
    Posted Apr 27, 2016 06:16 AM
    Yes, that's correct, but really only Win Phone and BlackBerry should need a web enrollment at this point. 

    In the case of Onboard, the server cert is installed to the client. Normally with PEAP, you're only verifying the CA. 


  • 5.  RE: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

    Posted Apr 27, 2016 06:33 AM

    Presumably OnBoard uses EAP-TLS though, rather than PEAP..?   Putting a client-side cert on a device, but authenticating using username and password would, presumably, not make much sense?   I guess though that PEAP would be used for the older OS versions you mentioned earlier, where such client certs can't be provisioned - but with some kind of [unknown to the user] username and password stored/cached on the device..?



  • 6.  RE: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

    EMPLOYEE
    Posted Apr 27, 2016 06:36 AM
    Yes, EAP-TLS is used. Devices like OS X 10.6 and earlier will use a generated username and password with EAP-PEAP. It is very unlikely that this would be used though.