Hi all,
We are using Clearpass as our RADIUS server and are authenticating Wifi using 802.1x / EAP-TLS. We are using Onboard to push out the user/root cert and using Onboard as our CA, user Enrolls using a temporary Open SSID and reaches Onboard page and uses their AD creds to enroll. We will be supporting many different customer AD domains so we prefer to use Onboard as our CA and device auth versus Active Directory.
We created our RADIUS cert using Onboard's CA. We did this due to Clearpass' native cert generation having a max validity period of 2000 days which is too short for our use, so we imported a cert from Onboard for RADIUS which permits a much longer validity period. We are using a wildcard cert for our HTTPS (for now, in our lab) and will purchase a non-wildcard for production.
Everything is working fine, Apple Devices and Windows devices enroll just fine with Onboard, EAP-TLS is working fine.
We were told by our Aruba account rep / sales engineer that we should not use a self-signed cert for RADIUS and we need to purchase a cert from a public CA. The recommendations and information that I am reading online conflicts with this, including Herman Rober video series saying self-signed is recommended.
Not sure if what they meant is using a public cert if we use PEAP-MSCHAPv2, to lessen the chance of a fake RADIUS server doing a man-in-the-middle attack on a badly configured supplicant (trusted servers not set)
We are using EAP-TLS and delivering the certs with Onboard (Onboard CA root, RADIUS, User), is that safe or does Aruba now recommend using a publicly purchased cert for RADIUS cert for EAP-TLS?
Thanks,
kg1984
------------------------------
Kevin Grivois
------------------------------