Security

Reply
Contributor II
Posts: 75
Registered: ‎05-06-2014

With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

It's not entirely clear, with OnBoard, which OSs (if any) don't receive client-side x.509 certs as their 'unique device credentials'?  Pretty sure iOS does - and Android these days, but what about others - and is it OS version dependent too - I know this is likely to be the case with Windows (which couldn't really be described as one OS anyway).

As a bit of an aside,  what gets installed on the client device, in order that it trusts the Cert that ClearPass itself uses, with EAP mutual authentication, to verify the network's identity..?

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

All operating systems still in support from the manufacturer use certificates. Note that some platforms require a manual onboard. 

In terms of cert trust, that is configured during the Onboard process. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

Thanks Tim -  sounds like the phrase 'unique client credentials' is used in the docs, purely to cover older OS versions then...   I take it too that manually installing client certs, when using generic web-provisioning, can vary wildy, in terms of how easy or hard (or even possible) it is, dependent on the client's OS..?

 

On my second Q - Does the client's trust' for the ClearPass certificate come from actually installing ClearPass's CA cert itself on the device (presumably with just its public key) - or is there just some kind of record of what the cert 'looks like', which is configured by ClearPass as part of OnBoard provisioning ?   (Forgive me, I realise this is just a fundamental ignorance, on my part, as to how clients trust CAs, within PKI)

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

Yes, that's correct, but really only Win Phone and BlackBerry should need a web enrollment at this point. 

In the case of Onboard, the server cert is installed to the client. Normally with PEAP, you're only verifying the CA. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 75
Registered: ‎05-06-2014

Re: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

Presumably OnBoard uses EAP-TLS though, rather than PEAP..?   Putting a client-side cert on a device, but authenticating using username and password would, presumably, not make much sense?   I guess though that PEAP would be used for the older OS versions you mentioned earlier, where such client certs can't be provisioned - but with some kind of [unknown to the user] username and password stored/cached on the device..?

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: With OnBoard, which OSs (if any) don't receive x.509 certs as their 'unique device credentials'?

Yes, EAP-TLS is used. Devices like OS X 10.6 and earlier will use a generated username and password with EAP-PEAP. It is very unlikely that this would be used though. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: