Cloud Managed Networks

Hey there, 

We have a single SSID for employees - eap-tls for laptops  and eap-peap for employee's own devices (phones, tablets, etc).  Radius auth is done by cppm and eap-tls is working as expected (corp own devices) as well as eap-peap (employees BYOD) except for one issue, the certificate.  All the users are getting certificate "Not Trusted" which it hasn't been an issue until now that more devices, like Android, are not allowing you to bypass or trust the cert.  

All the IAP's are managed by Central.  

I have not been able to find a good solution for it and was wondering if anyone has ran into this issue and how it was fixed. 

Thank you in advance.  

------------------------------
ML.
------------------------------

You would need to get your certificates properly setup and get non-managed devices provisioned with a tool like ClearPass Onboard and managed devices with a Mobile Device Management tool.

Setting up EAP-TLS or EAP-PEAP/MSCHAPv2 is close to impossible without additional tooling.

Especially with PEAP/MSCHAPv2, if people blindly trust the certificate or disable certificate validation, there is a good chance that your password will be easily stolen, which if it is the AD password may give access to other applications as well.

Your Aruba partner should be able to assist you with setting this up properly. This is something covered extensively in training and content on Airheads or the Airheads Broadcasting Channel.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 31, 2023 01:29 PM
From: MG15
Subject: GreenLake IAP + ClearPass + Employee's BYOD + Certificate

Hey there, 

We have a single SSID for employees - eap-tls for laptops  and eap-peap for employee's own devices (phones, tablets, etc).  Radius auth is done by cppm and eap-tls is working as expected (corp own devices) as well as eap-peap (employees BYOD) except for one issue, the certificate.  All the users are getting certificate "Not Trusted" which it hasn't been an issue until now that more devices, like Android, are not allowing you to bypass or trust the cert.  

All the IAP's are managed by Central.  

I have not been able to find a good solution for it and was wondering if anyone has ran into this issue and how it was fixed. 

Thank you in advance.  

------------------------------
ML.
------------------------------