Hi all, I'm looking for a few major points regarding ClearPass as the issuing CA through OnBoard vs. using Microsoft PKI to distribute certificates to devices via group policy.
Please correct this if it's wrong:
(Assuming single SSID)
OnBoard CA - Requires user to authenticate via EAP-PEAP to SSID, perform PAP authentication on enrollment page, go through enrollment process and then reconnect using EAP-TLS. ClearPass manages the certificates and can validate it's own certificates as valid. Requires manual enrollment by each user.
Microsoft PKI - Requires ADCS with autoenrollment enabled, can push certificate to machines / user accounts via group policy. User does not need to touch anything, admin handles everything. Need to create custom auth method to verify OCSP from ADCS. Microsoft manages certificates and can validate their validity via the OCSP auth method. Need to add Root CA to trust list.
With Microsoft PKI, the wireless service only needs to permit EAP-TLS as an authentication method, as no EAP-PEAP would be required.
My thoughts are - Microsoft PKI involves less user interaction, but more admin interactions to set everything up properly. OnBoard CA requires users to do some work, but then provides a single place to manage and validate the certificates. Neither are better than the other, just depends on what the end customer would want.
Any additonal thoughts or suggestions or corrections to my logic?
1) You should never use single SSID Onboard.
2) ADCS + Onboard integration is only recommended if required by security policy. It's always a good practice to separate trust domains betwen corporate auto-issuance and self-enrollment
3) ClearPass does not replace certificate enrollment for AD-joined managed Windows devices. That should still be done automatically via GPO and ADCS.
Assisted Onboarding is not designed for corporate assets.
Other platforms managed via EMM should be configured to use ClearPass as the CA, but use autoenrollment via SCEP or EST.
That's really good info - I know OnBoard was originally designed for onboarding personal devices onto corporate SSIDs.
So to shorten the answer, any domain-joined microsoft PCs should be issued certificates from the Microsoft PKI environment using ADCS and ClearPass should be used to simply validate the certificate information and validity?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.