Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Advice to obtain Public Cert for Onboarding iOS Devices

Jump to Best Answer
  • 1.  Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Feb 14, 2014 02:48 PM

     

    I wanted to know if certain third party / public certs work better than others to Onboard iOS devices : Verisign, GoDaddy , etc...

     

    I know I can go by this list : http://support.apple.com/kb/ht5012 but just wanted to see what other have experienced 



  • 2.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Feb 14, 2014 05:24 PM

    I have to stay neutral on this but a quick note. :)

     

    Is if you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.

     

    Windows decided to change the requirements as of 8.1..:(



  • 3.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Feb 17, 2014 09:18 AM
    Thanks Troy will definitely keep that in mind .


  • 4.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 09:41 PM

    I have a Root CA signed server cert that was created from a CSR made in CPPM 6.3.1.

    I does not include the extension  to support Windows 8.1.

    This seems to be an oversight.



  • 5.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 09:49 PM
    It has nothing to do with the CSR. It is dependent on the signing CA.


  • 6.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 09:52 PM

    My experience with certs is that you request extensions in the CSR. The CA doesn't change your certificate request it just signs it.

    If you look at a CSR with openssl you can see what extensions have been requested.

    So is that incorrect for this extension?

     

     



  • 7.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:10 PM

    The problem is if we require that attribute then it severely limits who the customer can get a certificate from. It is only windows 8.0> devices that have this requirement.

     

    This way the customer just needs to request that the attribute to be included by the signing CA or not allow 8.1 devices to be onboarded. Most security concerned customers will not want to have a public CA sign the Radius certificate only the HTTPS. That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.



  • 8.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:16 PM

    Ah that limitation makes sense.

     

    The trouble is that creating the server certs with OnBoard does not seem to be a universal solution. If all your devices are onboarded it's fine since they will have the onboard CA installed. But if you have non-onboarded services your HTTPS/RADIUS certs will be signed by an unknown intermediate CA and will fail cert validation on the client.

     

    In my understanding so far I think there's two solutions:

    1) buy separate Root-CA signed certs for OnBoard and server certs using the inbuilt CSR mechanism for both

    2) create a custom CSR using openssl that includes both the Win8.1 ext and the CA ext, install the root CA signed cert in both PM and OB

     



  • 9.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:19 PM
    The other solution would be to use a supplicant configuration utility/wizard like QuickConnect to install the CA and configure the client appropriately.


  • 10.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:30 PM

    Fine for staff, but won't work in one of our use cases which is free public wifi.

     

    For clarity can your respond about the CSR requiring the extension or not?



  • 11.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:39 PM
    but with free wifi you are not doing .1x so it shouldn't matter. It's only if you are doing 802.1x


  • 12.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:49 PM

    Free but self-registered wifi, so a user still hits guest and we don't the general public to get a certificate error :)



  • 13.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 10:51 PM
    again the Id-kp issue has nothing to do with https: it's only .1x that has the issue


  • 14.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 11:00 PM

    I think you are saying that there is a 3rd solution which is:

     

    - have a completely separate HTTPS cert, signed by a well-known Intermediate CA

    - have a RADIUS cert signed by the OnBoard Local CA

     

    But what if you have other 802.1x services that are not on-boarded? Same problem - the 802.1x clients will not have the OnBoard CA installed and will not validate the RADIUS cert.

     

    So we are back to needing a RADIUS cert that is signed by a well-known intermediate CA and again the problem is that the internally created CSR doesn't have the right attribute. This goes back to my point about it not being a universal solution.

     

     

     

     



  • 15.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 11:05 PM
    Yes. The solution is to use a publicly signed https cert, an onboard signed radius cert and a supplicant configuration utility like QuickConnect for non-onboard clients.


  • 16.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 07, 2014 11:05 PM
    most of the well know CA will add the attributes. You just need to call and request it with you csr.

    This also comes down to security concerns. Do you really want a publicly signed radius cert. Most security experts will tell you that is a big security risk to take just for you to make it easier for some users....


  • 17.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 08, 2014 12:42 AM

    > That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.

     

    Giving this a go.. How does the signing work? I can create a CSR or self-signed cert in PM, but can't see how I sign it with the local CA.

     

    edit: nevermind found it. I still think this will be an issue if you are supporting an onboard and a non-onboard 802.1x service but good enough for the moment



  • 18.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 08, 2014 12:56 AM

    If you do a csc from CPPM make sure you download both the CSR and the PKEY file.

     

     

    1. If you havent already creat and new CA 

     

    Screen Shot 2014-06-07 at 11.45.02 PM.png

     

    2. Edit the CA settings for how long you want the certs to be valid.

     

    Screen Shot 2014-06-07 at 11.45.22 PM.png

     

     

     

    Screen Shot 2014-06-07 at 11.45.35 PM.png

     

    3. click import cert

     

    Screen Shot 2014-06-07 at 11.45.59 PM.png

     

    4. tell it to issue cert imedeately

     

    Screen Shot 2014-06-07 at 11.51.26 PM.png

     

    5. export... I use PKCS7 because it includes the full trust chain.

     

    Screen Shot 2014-06-07 at 11.53.34 PM.png

     

    6. Import into CPPM

     

     



  • 19.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:08 PM

    I'm running into an issue. My thawte cert was issued for my VIP in my 5k cluster. However, it doesn't have id-kp-eapOverLAN option. 

     

    When trying to change my radius cert to be self signed, I get the error that CPPM can't use self signed certs for RADIUS in a cluster.

     

    Is this normal? 

     

    cppm   6.3.3.29992



  • 20.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:10 PM
    Correct. Clustering requires that all certs be signed by the same CA which is not possible with a self-signed cert.


  • 21.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:12 PM

    So...any suggestion other than not allow windows 8.1 or remove the VIP?



  • 22.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:13 PM
    You need to have the onboarding PKI sign the cert. the self sign does not support id-kp


  • 23.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:13 PM

    Are you using EAP-TLS / Onboard or just PEAP ?



  • 24.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:16 PM

    doing EAP-TLS / OnBoarding

     

    Troy - so if I sign it with OnBoard (like you show on page 2), I will be able to use the cert for radius and my VIP?



  • 25.  RE: Advice to obtain Public Cert for Onboarding iOS Devices
    Best Answer

    Posted Jun 26, 2014 01:17 PM
    Correct


  • 26.  RE: Advice to obtain Public Cert for Onboarding iOS Devices

    Posted Jun 26, 2014 01:23 PM

    Thank you! That worked perfectly. 

     

    got to love certs!