Security

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

No need to create AD accounts. Use device registration in CPPM.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

Add them to CPPM guest? Any benefits for using that instead of AD? As all the workstations that are logging to the network are already checked against AD anyway and it's used as an authentication source. Wouldn't you need to do MAC authentication in this case as there's no password except for MPSK password?
Original Message:
Sent: Mar 30, 2021 11:04 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

No need to create AD accounts. Use device registration in CPPM.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

AD is not designed to store device accounts outside of Windows AD-joined objects.

You can use the MAC address, cert serial, subject, or other cert property as a lookup value in the device database.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 30, 2021 11:13 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

Add them to CPPM guest? Any benefits for using that instead of AD? As all the workstations that are logging to the network are already checked against AD anyway and it's used as an authentication source. Wouldn't you need to do MAC authentication in this case as there's no password except for MPSK password?
Original Message:
Sent: Mar 30, 2021 11:04 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

No need to create AD accounts. Use device registration in CPPM.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

Is there documentation available that would explain why this would be a bad idea? Or is it an Aruba best practice? As managing user accounts (for the printers) in AD just seems quite a lot easier than trying to do that with Clearpass Guest. We can use group memberships for different types of printers but have them in the same OU and so on. And run the usual reports for accounts that are going to be expiring soon and notify the relevant people. There is a sponsor field of course in CPPM but I don't really understand the benefits of having two separate user stores when we could have all those in AD.

We could also run a script to create accounts for the next 20 printers and wouldn't have to worry about the correct cert serial or use insecure MAC authentication.

That "other cert property" goes back to my original question. As it seems it's not possible to use NDES for creating certificates with different templates and then have different cert properties for certain groups of users
Original Message:
Sent: Mar 30, 2021 11:32 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

AD is not designed to store device accounts outside of Windows AD-joined objects.

You can use the MAC address, cert serial, subject, or other cert property as a lookup value in the device database.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 11:13 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

Add them to CPPM guest? Any benefits for using that instead of AD? As all the workstations that are logging to the network are already checked against AD anyway and it's used as an authentication source. Wouldn't you need to do MAC authentication in this case as there's no password except for MPSK password?
Original Message:
Sent: Mar 30, 2021 11:04 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

No need to create AD accounts. Use device registration in CPPM.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?

> "I don't really understand the benefits of having two separate user stores when we could have all those in AD"
They're not users. That is the key point.

I'm not aware of any docs. Best to reach out to your ClearPass partner.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 30, 2021 11:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

Is there documentation available that would explain why this would be a bad idea? Or is it an Aruba best practice? As managing user accounts (for the printers) in AD just seems quite a lot easier than trying to do that with Clearpass Guest. We can use group memberships for different types of printers but have them in the same OU and so on. And run the usual reports for accounts that are going to be expiring soon and notify the relevant people. There is a sponsor field of course in CPPM but I don't really understand the benefits of having two separate user stores when we could have all those in AD.

We could also run a script to create accounts for the next 20 printers and wouldn't have to worry about the correct cert serial or use insecure MAC authentication.

That "other cert property" goes back to my original question. As it seems it's not possible to use NDES for creating certificates with different templates and then have different cert properties for certain groups of users
Original Message:
Sent: Mar 30, 2021 11:32 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

AD is not designed to store device accounts outside of Windows AD-joined objects.

You can use the MAC address, cert serial, subject, or other cert property as a lookup value in the device database.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 11:13 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

Add them to CPPM guest? Any benefits for using that instead of AD? As all the workstations that are logging to the network are already checked against AD anyway and it's used as an authentication source. Wouldn't you need to do MAC authentication in this case as there's no password except for MPSK password?
Original Message:
Sent: Mar 30, 2021 11:04 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

No need to create AD accounts. Use device registration in CPPM.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 10:40 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I remember seeing devices that only allowed you to add certificates but no username/password. Also as it's our internal CA we can control I was hoping to pick the easy way and just authenticate based on certificate fields :) I guess we'd need to start adding user accounts to AD and then just issue similar certificates to all the devices
Original Message:
Sent: Mar 30, 2021 09:16 AM
From: Tim C
Subject: Automatic certificate assignment/renewal for printers etc.

A certificate should simply be a pointer / correlation handle to another data source. There is no need to use different certificate properties.

------------------------------
Tim C

Original Message:
Sent: Mar 30, 2021 06:42 AM
From: Jukka Aaltonen
Subject: Automatic certificate assignment/renewal for printers etc.

I thought we could get printers to get certificates from Microsoft NDES and then renew those when the expire. But it seems that you can pair NDES to only a single certificate template. I was hoping we could have different templates for printers, TVs, medical stuff etc. So when doing 802.1X EAP-TLS we could figure the correct user role from the certificate values.

Any ideas how we could do this, are the other SCEP softwares that could do this? Or is anyone doing something like this, or how do you configure certificates for the printers etc?