Does CPPM support automatic revocation/deletion of certificates for inactive devices
Environment- Customers implementing OnBoarding using Clearpass Policy Manager
Answer- Starting from 6.5 version, OnBoarding module in the Clearpass Guest has the option to revoke certificates for inactive devices after the specified amount of time. This option is disabled by default.
For this feature to work, Insight needs to be enabled on this node as it relies on Insight data. Also the node should be configured as the Insight Master.
In order to configure this feature, please navigate to the below location in the Clearpass Guest GUI:
Onboard -> Deployment and Provisioning > Provisioning Setting -> Click on the provision settings profile and "Edit" -> Under General Tab scroll down to "Actions" -> At "Revoke Inactive" check the box for "Revoke certificates for inactive devices" to automatically revoke the certificates for devices after a period where the device is not seen on the network.
Set the "Inactivity Period" in days based on your requirement. So if a device does not authenticate on the network after this period its certificate will be revoked.