Security

 

I wanted to know if certain third party / public certs work better than others to Onboard iOS devices : Verisign, GoDaddy , etc...

 

I know I can go by this list : http://support.apple.com/kb/ht5012 but just wanted to see what other have experienced 

I have to stay neutral on this but a quick note. :)

 

Is if you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.

 

Windows decided to change the requirements as of 8.1..:(

Thanks Troy will definitely keep that in mind .

I have a Root CA signed server cert that was created from a CSR made in CPPM 6.3.1.

I does not include the extension  to support Windows 8.1.

This seems to be an oversight.

It has nothing to do with the CSR. It is dependent on the signing CA.

My experience with certs is that you request extensions in the CSR. The CA doesn't change your certificate request it just signs it.

If you look at a CSR with openssl you can see what extensions have been requested.

So is that incorrect for this extension?

 

 

The problem is if we require that attribute then it severely limits who the customer can get a certificate from. It is only windows 8.0> devices that have this requirement.

 

This way the customer just needs to request that the attribute to be included by the signing CA or not allow 8.1 devices to be onboarded. Most security concerned customers will not want to have a public CA sign the Radius certificate only the HTTPS. That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.

Ah that limitation makes sense.

 

The trouble is that creating the server certs with OnBoard does not seem to be a universal solution. If all your devices are onboarded it's fine since they will have the onboard CA installed. But if you have non-onboarded services your HTTPS/RADIUS certs will be signed by an unknown intermediate CA and will fail cert validation on the client.

 

In my understanding so far I think there's two solutions:

1) buy separate Root-CA signed certs for OnBoard and server certs using the inbuilt CSR mechanism for both

2) create a custom CSR using openssl that includes both the Win8.1 ext and the CA ext, install the root CA signed cert in both PM and OB

 

The other solution would be to use a supplicant configuration utility/wizard like QuickConnect to install the CA and configure the client appropriately.

Fine for staff, but won't work in one of our use cases which is free public wifi.

 

For clarity can your respond about the CSR requiring the extension or not?

but with free wifi you are not doing .1x so it shouldn't matter. It's only if you are doing 802.1x

Free but self-registered wifi, so a user still hits guest and we don't the general public to get a certificate error :)

again the Id-kp issue has nothing to do with https: it's only .1x that has the issue

I think you are saying that there is a 3rd solution which is:

 

- have a completely separate HTTPS cert, signed by a well-known Intermediate CA

- have a RADIUS cert signed by the OnBoard Local CA

 

But what if you have other 802.1x services that are not on-boarded? Same problem - the 802.1x clients will not have the OnBoard CA installed and will not validate the RADIUS cert.

 

So we are back to needing a RADIUS cert that is signed by a well-known intermediate CA and again the problem is that the internally created CSR doesn't have the right attribute. This goes back to my point about it not being a universal solution.

 

 

 

 

Yes. The solution is to use a publicly signed https cert, an onboard signed radius cert and a supplicant configuration utility like QuickConnect for non-onboard clients.

most of the well know CA will add the attributes. You just need to call and request it with you csr.

This also comes down to security concerns. Do you really want a publicly signed radius cert. Most security experts will tell you that is a big security risk to take just for you to make it easier for some users....

> That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.

 

Giving this a go.. How does the signing work? I can create a CSR or self-signed cert in PM, but can't see how I sign it with the local CA.

 

edit: nevermind found it. I still think this will be an issue if you are supporting an onboard and a non-onboard 802.1x service but good enough for the moment

If you do a csc from CPPM make sure you download both the CSR and the PKEY file.

 

 

1. If you havent already creat and new CA 

 

 

2. Edit the CA settings for how long you want the certs to be valid.

 

 

 

 

 

3. click import cert

 

 

4. tell it to issue cert imedeately

 

 

5. export... I use PKCS7 because it includes the full trust chain.

 

 

6. Import into CPPM

 

 

I'm running into an issue. My thawte cert was issued for my VIP in my 5k cluster. However, it doesn't have id-kp-eapOverLAN option. 

 

When trying to change my radius cert to be self signed, I get the error that CPPM can't use self signed certs for RADIUS in a cluster.

 

Is this normal? 

 

cppm   6.3.3.29992

Correct. Clustering requires that all certs be signed by the same CA which is not possible with a self-signed cert.

So...any suggestion other than not allow windows 8.1 or remove the VIP?

You need to have the onboarding PKI sign the cert. the self sign does not support id-kp

Are you using EAP-TLS / Onboard or just PEAP ?

doing EAP-TLS / OnBoarding

 

Troy - so if I sign it with OnBoard (like you show on page 2), I will be able to use the cert for radius and my VIP?

Correct

Thank you! That worked perfectly. 

 

got to love certs!