We're starting a project to deploy Clearpass as our primary campus AAA and we have the opportunity to use a different CA from the one we normally use. (Globalsign)
Is there a CA that is included in most popular Mobile and laptop OSes where we wouldn't have to burden most of the user population to onboard root cert chains from the CAs? MacOS, Windows, Apple iOS, and Android make up 95% of the devices, so finding a CA that's included with all of these would get us most of the way to the goal.
Globalsign doesn't list Apple IOS as supported (https://www.globalsign.com/en/ssl-information-center/certificate-authority-root/) and our inital testing shows our Globalsign cert as Untrusted on IOS10
Entrust is, unless your client mix includes very old Windows installations. Otherwise, godaddy is pretty well represented even on old things.
But, since you should probably be using profiles/scripts to install settings to turn on CN validation and CA lockdown when using public CAs, once you have gone that far, adding root cert installation might not be that much more work.
Yes, PEAP MSCHAPv2
GlobalSign's CA is inlucded in iOS and Mac OS X.
Keep in mind that certificate messages during initial authentication to an 802.1X network are not system certificate trust related, they are to prove the server identity to the user connecting. Server certificate validation is a normal component of tunneled EAP methods.
The only ways to avoid that message on devices are:
1) Move to EAP-TLS (ideal)
2) Offer a configuration tool like QuickConnect to users
3) Push down configuration on managed devices (GPO or Profile Manager)
4) Manually configure supplicants.
If you're going to Atmosphere, we'll be discussing this in the Deploying Device and Server Certificates session.
We use digicert and it works for all the devices that you have mentioned above
If you want to do you authentication on a secure way, you should provision a wireless/wired profile on the clients and then the vendor of the root CA doesn't mather. If you don't do this, clients will need to accept the certificate provided by the radius. I always happens, even if you use a trusted global root CA. Hackers can easy setup a wireless network with the same ssid as yours and when users are prompted to accept the bad certificate they definately will agree and share their hashed password. With the wireless profile, the device won't prompt to accept the radius cert and will not share the credentials with bad people. At our university we publish the eduroam cat tool for provisiong on a captive portal.
Off course EAP-TLS is better, but in a educational world where student laptops are not IT managed (all BYOD) you would need to use something like clearpass onboard and a few extra golden coins. Also you'll need some extra FTE to support it.
We’ve made significant changes to Onboard licensing to make it more feasible for education. I’m not sure I agree with the need to add an FTE. It should reduce support calls, not increase them.
I would also add that the certificate issued is not just for network authentication. It can be used with single sign on solutions to provide seameless, secure authentication to virtually unlimited services.
And that still makes it quite expensive. With Access license we only need about 50% of our student population covered since they never come to the campus on the same time. With onboard license (already costs 50% more than a Access license) they count as long as their certificate hasn't expired so you need 100% covered at least. Also there's some student overlap at the beginning off a new year (old certs aren't expired yet and new students are coming in). So in practice you need the have like 120% of your average student count covered. You could solve this by renewing and expiring certs extremely fast, but do you want this?
Also as I mentioned you need some extra efford to support onboard with your users. Some setups on student laptops are quite challenging .
Ryan – Asking a user to disconnect and reconnect once in four years as part of a guide process with clear instructions is much less painful than dealing with certificate trust and password changes with PEAP.
Also, most customers we have worked with do not want the user to have to download an app.
@Ryan wrote:I completely agree with that. But where you and I diverge is your assumption that it is an either/or scenario. We (as IT) should be reducing the burden on our users whenever possible as a means to provide the best experiences. This would include not asking them to take action when technology could do it for them (e.g., disabling/reenabling the Wi-Fi radio).- Ryan -
Yup. I agree.
I have seen a solution from Aruba ACE that detects the expiring Onboard certificate. I think they were prompted to accept a new certificate.
1) There are no hard license caps in ClearPass 6.7
2) It is very easy to revoke certificates via the REST API when a student is no longer active
3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.
@cappalli wrote:2) It is very easy to revoke certificates via the REST API when a student is no longer active3) From what our cusotmers have told us, they deal with more issues with supporting legacy EAP methods like PEAP than they do with assisted Onboarding.
2) not a real solution. Overlap still exists. Also requires custom scripting.
3) that's why there's something like the eduroam cat tool which make's it as easy like assisted onboarding. No issues with server cert trusts! I actually don't know any educational institution (I know a lot trust me) who uses EAP-TLS for their students. They all use PEAP so there's definitely a big market out there. ;)
Furthermore. When using EAP-TLS, you cert environment should be reachable from the internet so roaming users can still renew their certificate.
We plan to migrate to tls over the next year, and have a tls kick off meeting in november. We plan to use two CAs, one for internal and one for byod/external.
I thought CPPM Onboard was for assisted onboarding. I guess I was mistaken.
I was just surprised you suggested the EDURoam CAT tool when CearPAss Onboard is an onboarding tool too.
@cappalli wrote:There are hundreds of educational institutions using EAP-TLS (thousands globally). Not sure I understand your comment about opening up ClearPass to the internet for certificate renewals.Anyway, sounds like your mind is made up but I wanted to clarify some of these points for others reading the thread ☺
How will your roaming students/staff renew their certs when using EAP-TLS without a connection to your CA? It's very common to have lots of visiting/roaming students and staff in an educational env. Sometimes they stay for several months. In an enterprise, EAP-TLS is really the best, but not for educational use. Even MIT just uses PEAP. I hope you'll see it's more a grey story and not black-white.