Security

Hi folks,

Running Clearpass 6.7.10 on a VM and we are currently trying to implement HTTPS inspection with our new Checkpoint 5400 firewall.  We have successfully implemented integration between the 2, where Clearpass is sending through identity information to the Checkpoint firewall, however with HTTPS inspection enabled, our BYOD devices don't trust the firewall certificate.  Domain joined machines are fine as we were able to deploy certificate via GPO.

Trying to figure out how to push the firewall certificate as part of the onboard process, so that BYOD devices will trust firewall.  I found the following post which suggested putting the certificate in the trusted certs list.

https://community.arubanetworks.com/t5/Security/Deploying-additional-certificates/td-p/269180

We have added the certificate under Administration > Certificates > Trust List and made sure it is enabled.  Not sure what else I should be doing to make this work?

I tried re-onboarding a device and it didn't seem to pick up an additional certificates.  Do I need to rebuild a package or something to integrate the cert?  Have I added it in the wrong place?

thanks for any help.

Oh, have I misunderstood what you said in the other thread, or has this changed since then?  It seems as though I'm essentially trying to do the same thing.

When you say OS restriction, are you referring to the Clearpass OS, or that of the client devices themselves?

In the past, you could push additional CAs with Onboard in the Onboard » Configuration » Network Settings » Configure Trust Manually (not the recommended setting). Note that this setting is only intended to push 802.1X trust certificates and modern operating systems segment the certificate use more and more. You can try to follow this path, but apparently, it is not supported accordingly what Tim responded.

So is there an alternate solution to enable HTTPS inspection for our BYOD clients?  Could I change the clearpass cert to be our firewall one, or does the client OS segmentation mean this won't work either?

Can you expand on this a little? I've managed to do this for a couple of customers but there is always a requirement for users to accept and install the cert which is really clunky. This was configured under Guest > Onboard > Network Settings > Enterprise Trust.

For one customer, we used the login redirect page to take them to a web page that had all the instructions they needed to download and install a cert but that was clunky too and users who ignored the page then complained when most of their web pages didn't work properly.

Basically, I've not found a perfect solution to this. For guests, I suggest you don't do SSL inspection and just push them out to the internet and let them be responsible for their browsing. For BYOD users, I don't think there is a working solution I'm afraid.

My 'can you expand on this' message was directed at Mr Cappalli by the way...