last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS, use MDM or Clearpass - which is best?

Jump to Best Answer
  • 1.  EAP-TLS, use MDM or Clearpass - which is best?

    Posted May 20, 2014 05:52 AM

    We are about to acquire 2000 smartphones, which need connecting to our wireless network.

    Rather than use CHAP which times out, for tablets and phones rather than use WPA2 and have to deal with network ID/password changes. EAP-TLS seems to be the best route?


    Clearpass can do this. But so can Airwatch (using SECP?)

    Just wondered what people have done around this. Cloud seems a nice way to provision this. And Clearpass means another box (or VM) as opposed to a bit of SaaS.


    But despite my prefefence for SaaS, are there any benefits to Clearpass versus letting the MDM manage this Wi-Fi join?

    Have others been through this loop, and offer some experience advice?


  • 2.  RE: EAP-TLS, use MDM or Clearpass - which is best?

    Posted May 20, 2014 06:30 AM

    Even if you went with AirWatch, you'd still need some type of RADIUS server to handle the requests. The idea with ClearPass is that all network policy decisions and authentications processes are handled in the same system. ClearPass can also control the AirWatch MDM so it might be worth looking at a parallel deployment.

  • 3.  RE: EAP-TLS, use MDM or Clearpass - which is best?
    Best Answer

    Posted May 20, 2014 07:58 AM

    Well, of course I'm going to recommend Clearpass! :)


    However, to really answer your question, Tim is right.  Although AirWatch or any other MDM will provision the TLS cert, you need something to authenticate and authorize the users into your network.  That's where Clearpass comes in but it does a ton more than just that.  With a single SSID, you can create different policies and access/actions where you can do some of the following (just a few of many use cases)


    1. If you don't have a cert, (EAP-PEAP) then give guest access/role or redirect to a web page for MDM enrollment or instructions

    2. If you are a certain device (i.e - tablet/phone vs Computer), hand out different roles

    3. If you are coming in from X site vs Y site or location, do something different

    4. If you have a cert from Airwatch and are jailbroken or have violated the MDM policy, redirect or restrict access

    5. Differentiate access based on AD groups


    So, you see, there are many possibilities but in addition to those above examples, you can also profile all your wired/wireless devices, include a very powerful visitor management system for guests, do posture checking for your Win/Mac OSs, and integrate with other systems like MDMs and firewalls or even helpdesk ticketing systems via a RESTful API.


    Finally, to really answer the question - do you need an MDM (AirWatch).  With Clearpass, we can issue the TLS certs through our Onboard module.  This will bring the employees through a self-registration workflow to securely and simply onboard their devices into the network.  It really does 2 things at the end of the day:


    1. Configure the 802.1x supplicant 

    2. Issue the Cert (via our own integrated CA or SCEP proxy or through ADCS)


    Now, if that is all you want - TLS creation/distribution, then onboard will do the job for you.


    IF you require ongoing management of these devices through issuing policies/restrictions OUTSIDE the network, then an MDM of what you need.  An MDM will restrict actions like app downloads, feature enablement (camera, cut/paste, etc...), and prevention of jailbreaking as well as push new policy to the managed devices perpetually.  Keep in mind that this intelligence of these devices can be integrated with Clearpass for policy creation and access management.  


    Hope this helps!

  • 4.  RE: EAP-TLS, use MDM or Clearpass - which is best?

    Posted May 22, 2014 07:10 AM

    Thanks for that.

    My reseller has told me that Clearpass does not yet support Windows Phone 8.1


    Airwatch and MaaS360 do.  So I guess the device management will be done via MDM in the cloud.

    Airwatch and MaaS360 both have SCEP, which means I can get the TLS cert on the device?
    Not sure I need Clearpass for simply hooking up these phones to Aruba wireless?


    In the future, when I need BYOD or 1 SSID for any Internet connected Wi-Fi device Clearpass seems like an abvious choice.

    Just not sure what I need today to get these things working on Aruba.

  • 5.  RE: EAP-TLS, use MDM or Clearpass - which is best?

    Posted May 22, 2014 07:20 AM
    No. I would still recommend Clearpass. We can still integrate with maas360 or airwatch.

    Because they support SCEP, you can tell them to issue a cert from Clearpass. They do not issue certs directly so you still need a CA which Clearpass has.

    Also you do still require a radius server to authenticate with. Clearpass definitely is a best of breed solution.