Security

Hi Everyone,

I hope this message finds you well.

Is it possible for EAP-TLS method that you have a separate Certificate Authority (CA) server other than AD? if yes, can you help me for the references on how to integrate this one, what are the limitations of using this and need to be consider using this set-up? 

Thank you

Yes, you can have a separate server as CA for EAP-TLS client (and server as well) certificates. In fact, I think there even is a recommendation to run the Microsoft AD Certificate Services on a member server, not on the AD; but the integration with Active Directory and Group Policies is a benefit.

When you move to Entra ID, you probably will use a different CA anyway, so yes it's possible. But what would be the CA that you are looking to work with? In that CA documentation you may find guidance how to integrate with AD (if you want to).

From a ClearPass perspective, it doesn't care which CA issued the client certificates as long as that CA is added and enabled to the Trust List for the 'EAP' type. If the AD username, or other AD identifying attribute is missing in the certificate, you can even disable authorization and just authenticate based on the certificate only (no AD check).

But your question is too broad to provide a full answer as it's not clear what you try to do, or what is the ultimate goal, in enough detail.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 06, 2025 06:39 PM
From: NEC
Subject: Separate CA Server other than AD, is it possible for EAP-TLS, Clearpass

Hi Everyone,

I hope this message finds you well.

Is it possible for EAP-TLS method that you have a separate Certificate Authority (CA) server other than AD? if yes, can you help me for the references on how to integrate this one, what are the limitations of using this and need to be consider using this set-up? 

Thank you

In addition to Herman's post, if authorization is required, this can be done by using multiple services.
First, authentications from different CA clients need to be categorized into different services. This can be done by querying the user name in a condition in the service rule (e.g. the domain part as a string, or using REGEX). Then you need dedicated auth sources for each service. Clients with certificates from CA "A" can then authorize against the auth source for domain "A", and clients with certificates from CA "B" can authorize against the auth source for domain "B".
You only need one criterion according to which you can classify the authentication requests.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: May 07, 2025 05:21 AM
From: Herman Robers
Subject: Separate CA Server other than AD, is it possible for EAP-TLS, Clearpass

Yes, you can have a separate server as CA for EAP-TLS client (and server as well) certificates. In fact, I think there even is a recommendation to run the Microsoft AD Certificate Services on a member server, not on the AD; but the integration with Active Directory and Group Policies is a benefit.

When you move to Entra ID, you probably will use a different CA anyway, so yes it's possible. But what would be the CA that you are looking to work with? In that CA documentation you may find guidance how to integrate with AD (if you want to).

From a ClearPass perspective, it doesn't care which CA issued the client certificates as long as that CA is added and enabled to the Trust List for the 'EAP' type. If the AD username, or other AD identifying attribute is missing in the certificate, you can even disable authorization and just authenticate based on the certificate only (no AD check).

But your question is too broad to provide a full answer as it's not clear what you try to do, or what is the ultimate goal, in enough detail.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 06, 2025 06:39 PM
From: NEC
Subject: Separate CA Server other than AD, is it possible for EAP-TLS, Clearpass

Hi Everyone,

I hope this message finds you well.

Is it possible for EAP-TLS method that you have a separate Certificate Authority (CA) server other than AD? if yes, can you help me for the references on how to integrate this one, what are the limitations of using this and need to be consider using this set-up? 

Thank you