Security

Hi

 

A customer who is a hardware manufacturer plan to deploy certificates to hardware they build to be able to authenticate the device when connecting to a 802.1x network.

 

Can ClearPass do PKI based authentication if the PKI is a third party CA and the device is a custom device trying to authenticate to the network by providing a certificate as credential?

 

Regards

Jonas Erlund Hammarbäck

As long as the certificate is a client authentication cert and you are able to add the Root/signing certificate to ClearPass, sure.

Adding the root certificate shouldn't be an issue and I suppose the customer will have certificates for client authentication. Otherwise I need to advice them to implement this.

 

How to I configure the service to handle this logon request? There are no option to use "PKI" or "PKCS11" as authentication source.

 

Regards

Jonas

Couple of things.

 

Is your CA setup to do OCSP or will you be using a CRL? For all 3 scenarios below, use the Endpoint Repository as your authentication source. 

 

• If it's a CRL, you will need to add the CRL URL under Administration > Certificates > Certificate Revocation Lists. Then use the [EAP-TLS] authentication method.
• If it's OCSP and you want to use the OCSP URL that is provide in the certificate, create a new EAP-TLS method and choose Required under "Verify Certificate using OCSP"
  
  
  
  
• If you want to override the OCSP URL, you'll want to create a new EAP-TLS method and use the "Override OCSP URL from Client". Then enter your OCSP URL.
  
  
  
  

At the moment I don't have any information if the PKI will have CRL or OCSP. The PKI solution will be implemented by the customer.

 

If I use of Endpoint Repository the authenication source, does that require all devices to be imported to the Endpoint Repository to be able to successfully authenticate?

 

I don't know the number of devices the customer manufacture per year but assume between 100 000 and 1 000 000 devices.

The device will only use this authentication when the end customer brings the device to an authorized service workshop and the device connects to the diagnostic tools at the workshop.

 

Thus I don't think it would be possible to prepopulate the Endpoint Repository with all devices.

So my question. Will the authentication work even though the device isn't in the Endoint Repository?

 

Regards

Jonas

It should work because it's using the certificate as the credential.

Thank you for your advice.

 

I will have this in mind if the customer chose the ClearPass solution we plan to offer.

 

Regards

Jonas

It is definitely something to test in a proof of concept setup before deploying.