Security

Reply
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

but with free wifi you are not doing .1x so it shouldn't matter. It's only if you are doing 802.1x
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Free but self-registered wifi, so a user still hits guest and we don't the general public to get a certificate error :)


--
ACMA ACMP
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

again the Id-kp issue has nothing to do with https: it's only .1x that has the issue
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

I think you are saying that there is a 3rd solution which is:

 

- have a completely separate HTTPS cert, signed by a well-known Intermediate CA

- have a RADIUS cert signed by the OnBoard Local CA

 

But what if you have other 802.1x services that are not on-boarded? Same problem - the 802.1x clients will not have the OnBoard CA installed and will not validate the RADIUS cert.

 

So we are back to needing a RADIUS cert that is signed by a well-known intermediate CA and again the problem is that the internally created CSR doesn't have the right attribute. This goes back to my point about it not being a universal solution.

 

 

 

 


--
ACMA ACMP
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

most of the well know CA will add the attributes. You just need to call and request it with you csr.

This also comes down to security concerns. Do you really want a publicly signed radius cert. Most security experts will tell you that is a big security risk to take just for you to make it easier for some users....
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Yes. The solution is to use a publicly signed https cert, an onboard signed radius cert and a supplicant configuration utility like QuickConnect for non-onboard clients.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

> That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.

 

Giving this a go.. How does the signing work? I can create a CSR or self-signed cert in PM, but can't see how I sign it with the local CA.

 

edit: nevermind found it. I still think this will be an issue if you are supporting an onboard and a non-onboard 802.1x service but good enough for the moment


--
ACMA ACMP
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

If you do a csc from CPPM make sure you download both the CSR and the PKEY file.

 

 

1. If you havent already creat and new CA 

 

Screen Shot 2014-06-07 at 11.45.02 PM.png

 

2. Edit the CA settings for how long you want the certs to be valid.

 

Screen Shot 2014-06-07 at 11.45.22 PM.png

 

 

 

Screen Shot 2014-06-07 at 11.45.35 PM.png

 

3. click import cert

 

Screen Shot 2014-06-07 at 11.45.59 PM.png

 

4. tell it to issue cert imedeately

 

Screen Shot 2014-06-07 at 11.51.26 PM.png

 

5. export... I use PKCS7 because it includes the full trust chain.

 

Screen Shot 2014-06-07 at 11.53.34 PM.png

 

6. Import into CPPM

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

I'm running into an issue. My thawte cert was issued for my VIP in my 5k cluster. However, it doesn't have id-kp-eapOverLAN option. 

 

When trying to change my radius cert to be self signed, I get the error that CPPM can't use self signed certs for RADIUS in a cluster.

 

Is this normal? 

 

cppm   6.3.3.29992

Regards,

Josh
___________
ACMP, ACCP
Guru Elite

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Correct. Clustering requires that all certs be signed by the same CA which is not possible with a self-signed cert.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: