last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Onboard CA vs Microsoft PKI

Jump to Best Answer
  • 1.  ClearPass Onboard CA vs Microsoft PKI

    Posted Aug 02, 2018 12:51 PM

    Hi all, I'm looking for a few major points regarding ClearPass as the issuing CA through OnBoard vs. using Microsoft PKI to distribute certificates to devices via group policy.


    Please correct this if it's wrong:


    (Assuming single SSID)


    OnBoard CA - Requires user to authenticate via EAP-PEAP to SSID, perform PAP authentication on enrollment page, go through enrollment process and then reconnect using EAP-TLS. ClearPass manages the certificates and can validate it's own certificates as valid. Requires manual enrollment by each user.


    Microsoft PKI - Requires ADCS with autoenrollment enabled, can push certificate to machines / user accounts via group policy. User does not need to touch anything, admin handles everything. Need to create custom auth method to verify OCSP from ADCS. Microsoft manages certificates and can validate their validity via the OCSP auth method. Need to add Root CA to trust list.


    With Microsoft PKI, the wireless service only needs to permit EAP-TLS as an authentication method, as no EAP-PEAP would be required.


    My thoughts are - Microsoft PKI involves less user interaction, but more admin interactions to set everything up properly. OnBoard CA requires users to do some work, but then provides a single place to manage and validate the certificates. Neither are better than the other, just depends on what the end customer would want. 


    Any additonal thoughts or suggestions or corrections to my logic?



  • 2.  RE: ClearPass Onboard CA vs Microsoft PKI
    Best Answer

    Posted Aug 02, 2018 12:56 PM

    1) You should never use single SSID Onboard.


    2) ADCS + Onboard integration is only recommended if required by security policy. It's always a good practice to separate trust domains betwen corporate auto-issuance and self-enrollment


    3) ClearPass does not replace certificate enrollment for AD-joined managed Windows devices. That should still be done automatically via GPO and ADCS.


    Assisted Onboarding is not designed for corporate assets.


    Other platforms managed via EMM should be configured to use ClearPass as the CA, but use autoenrollment via SCEP or EST.


  • 3.  RE: ClearPass Onboard CA vs Microsoft PKI

    Posted Aug 02, 2018 01:08 PM

    That's really good info - I know OnBoard was originally designed for onboarding personal devices onto corporate SSIDs.


    So to shorten the answer, any domain-joined microsoft PCs should be issued certificates from the Microsoft PKI environment using ADCS and ClearPass should be used to simply validate the certificate information and validity?

  • 4.  RE: ClearPass Onboard CA vs Microsoft PKI

    Posted Aug 02, 2018 01:13 PM
    Just to clarify. Onboard is the entire CA functionality. What I call Assisted Onboard is the wizard like interface for end user self-enrollment.

    Onboard CAs can (and should be) used for non-Windows corporate assets like macOS and smartphones tha

    Best practice is to create a managed device CA and a personal/BYOD CA on top of any other infrastructure CAs (NADs, RadSec, etc).

    RE: domain-joined Windows, yes.