My CPPM nodes will be deployed as a distributed deployment design. In this design, we need to have certificate for each nodes right or we can just use wildcard certificate for the clustering?
Thanks for the feedback but what do you mean for EAP I should use generic certificate across the deployment?
I still need to manually import those in each nodes right?
Yes, you'll still need to import it, but you should use the same certificate for EAP across the whole cluster. Something generic (networklogin.domain.xyz, clearpass.domain.xyz, secureauth.domain.xyz, etc)
Thanks for the feedback.
In addition to this concern, is it possible in ClearPass to do EAP-Chaining so that it will check machine auth and user auth before giving access to the endpoint?
Technically, in my endpoint it has machine certificate and user certificate right?
EAP-chaining is a Cisco proprietary method that requires client software on the device.
ClearPass uses native Computer + User authentication that's baked into Windows.
How can I do that in ClearPass the one that you are talking about?
You may want to work with your Aruba partner. 802.1X needs to be carefully planned out to be succesful.
ClearPass will automatically tag the authentication with [Machine Authenticated] when the computer account is used and [User Authenticated] when the user account is used. You can write a rule that checks for both of them. You also need to be sure the supplicant is configured correctly via group policy.
But this machine and user authentication can come from the machine cert and user cert right?
what if we use onguard to bounce session (maybe delayed) and give user time to get cert via GPO.
I think that if network profile is set to authenticate user or machine, if user is first time logged (don't have cert), it simpli won't do user autentication, it will only be machine authenticated. It get cert via GPO, onguard bounce sessin and in second atempt user is authenticated with cert it just got.
Will that do the trick, and is this valid design?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.