Security

Hello,

I have a new kind of devices on my network (Teams meeting room for visio-conferences), i want to secure their access to the network through EAP-TLS RADIUS access.
I've been successfully able to create my own CA on a random linux cert, and generate keys/certs, then import the CA into Clearpass with "EAP" role and everything works great.

My manager thinks things could be done better, by using the "onboard" menu of Clearpass to create a CA, and create certs/keys. So I could distribute them manually to the Teams devices.

I've started to look at the docs, and i get that it can ditribute key/certs to devices automatically, but i don't know if i could get my way by retrieving keys/certs and then upload them myslef wherever i need.

Can someone enlighten me ?
thanks.

In the end, client TLS certificates are client TLS certificates. What makes the difference is the way that you generate those certificates, where ClearPass Onboard is one method. The benefit of Onboard is that its CA is included in ClearPass, and there is a nice Web interface to manage everything. For the deployment to clients, there is Windows/Mac/IOS/Android/Linux support to make the enrollment and configuration of the client smooth and more easy, or use SCEP/EST (optionally through Intune) to automate the enrollment. It depends on the client device if that works and/or makes sense. What I've experienced in the past is that many managers prefer an official supported product over cli commands in Linux because of continuity and not spending to much time on finding out how things work exactly. But if you generate the correct certificates, it's supposed to work.

Hello,

I have a new kind of devices on my network (Teams meeting room for visio-conferences), i want to secure their access to the network through EAP-TLS RADIUS access.
I've been successfully able to create my own CA on a random linux cert, and generate keys/certs, then import the CA into Clearpass with "EAP" role and everything works great.

My manager thinks things could be done better, by using the "onboard" menu of Clearpass to create a CA, and create certs/keys. So I could distribute them manually to the Teams devices.

I've started to look at the docs, and i get that it can ditribute key/certs to devices automatically, but i don't know if i could get my way by retrieving keys/certs and then upload them myslef wherever i need.

Can someone enlighten me ?
thanks.

Hi,

Thank you for the reply but i still feel a bit lost (I haven't tested anything yet as I would like to make sure it will prove useful in my context).

In simple terms, can you tell me if I will be able to retrieve (on my workstation, for manual deployment  through other means) the Onboard CA cert + device certs/keys generated by the Clearpass Onboard CA ?

Many thanks
Mike.

In the end, client TLS certificates are client TLS certificates. What makes the difference is the way that you generate those certificates, where ClearPass Onboard is one method. The benefit of Onboard is that its CA is included in ClearPass, and there is a nice Web interface to manage everything. For the deployment to clients, there is Windows/Mac/IOS/Android/Linux support to make the enrollment and configuration of the client smooth and more easy, or use SCEP/EST (optionally through Intune) to automate the enrollment. It depends on the client device if that works and/or makes sense. What I've experienced in the past is that many managers prefer an official supported product over cli commands in Linux because of continuity and not spending to much time on finding out how things work exactly. But if you generate the correct certificates, it's supposed to work.

Hello,

I have a new kind of devices on my network (Teams meeting room for visio-conferences), i want to secure their access to the network through EAP-TLS RADIUS access.
I've been successfully able to create my own CA on a random linux cert, and generate keys/certs, then import the CA into Clearpass with "EAP" role and everything works great.

My manager thinks things could be done better, by using the "onboard" menu of Clearpass to create a CA, and create certs/keys. So I could distribute them manually to the Teams devices.

I've started to look at the docs, and i get that it can ditribute key/certs to devices automatically, but i don't know if i could get my way by retrieving keys/certs and then upload them myslef wherever i need.

Can someone enlighten me ?
thanks.

Hi,

Thank you for the reply but i still feel a bit lost (I haven't tested anything yet as I would like to make sure it will prove useful in my context).

In simple terms, can you tell me if I will be able to retrieve (on my workstation, for manual deployment  through other means) the Onboard CA cert + device certs/keys generated by the Clearpass Onboard CA ?

Many thanks
Mike.

In the end, client TLS certificates are client TLS certificates. What makes the difference is the way that you generate those certificates, where ClearPass Onboard is one method. The benefit of Onboard is that its CA is included in ClearPass, and there is a nice Web interface to manage everything. For the deployment to clients, there is Windows/Mac/IOS/Android/Linux support to make the enrollment and configuration of the client smooth and more easy, or use SCEP/EST (optionally through Intune) to automate the enrollment. It depends on the client device if that works and/or makes sense. What I've experienced in the past is that many managers prefer an official supported product over cli commands in Linux because of continuity and not spending to much time on finding out how things work exactly. But if you generate the correct certificates, it's supposed to work.

Hello,

I have a new kind of devices on my network (Teams meeting room for visio-conferences), i want to secure their access to the network through EAP-TLS RADIUS access.
I've been successfully able to create my own CA on a random linux cert, and generate keys/certs, then import the CA into Clearpass with "EAP" role and everything works great.

My manager thinks things could be done better, by using the "onboard" menu of Clearpass to create a CA, and create certs/keys. So I could distribute them manually to the Teams devices.

I've started to look at the docs, and i get that it can ditribute key/certs to devices automatically, but i don't know if i could get my way by retrieving keys/certs and then upload them myslef wherever i need.

Can someone enlighten me ?
thanks.