04-27-2016 01:37 AM
It's not entirely clear, with OnBoard, which OSs (if any) don't receive client-side x.509 certs as their 'unique device credentials'? Pretty sure iOS does - and Android these days, but what about others - and is it OS version dependent too - I know this is likely to be the case with Windows (which couldn't really be described as one OS anyway).
As a bit of an aside, what gets installed on the client device, in order that it trusts the Cert that ClearPass itself uses, with EAP mutual authentication, to verify the network's identity..?
Solved! Go to Solution.
04-27-2016 03:03 AM
In terms of cert trust, that is configured during the Onboard process.
04-27-2016 03:10 AM
Thanks Tim - sounds like the phrase 'unique client credentials' is used in the docs, purely to cover older OS versions then... I take it too that manually installing client certs, when using generic web-provisioning, can vary wildy, in terms of how easy or hard (or even possible) it is, dependent on the client's OS..?
On my second Q - Does the client's trust' for the ClearPass certificate come from actually installing ClearPass's CA cert itself on the device (presumably with just its public key) - or is there just some kind of record of what the cert 'looks like', which is configured by ClearPass as part of OnBoard provisioning ? (Forgive me, I realise this is just a fundamental ignorance, on my part, as to how clients trust CAs, within PKI)
04-27-2016 03:16 AM
In the case of Onboard, the server cert is installed to the client. Normally with PEAP, you're only verifying the CA.
04-27-2016 03:32 AM
Presumably OnBoard uses EAP-TLS though, rather than PEAP..? Putting a client-side cert on a device, but authenticating using username and password would, presumably, not make much sense? I guess though that PEAP would be used for the older OS versions you mentioned earlier, where such client certs can't be provisioned - but with some kind of [unknown to the user] username and password stored/cached on the device..?
04-27-2016 03:36 AM