Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass 802.1x users get certificate warning

This thread has been viewed 5 times

  • 1.  Clearpass 802.1x users get certificate warning

    Posted Nov 04, 2019 01:21 PM

    Hi,

    We use Clearpass and Active directory to authenticate our BYOD users.  We purchased an SSL certificate from DigiCert and it's installed on the Clearpass certificate hoping the users devices would trust the certificate.

     

    But users still have to accept the certificate before they can connect.  I suspect something is not setup correctly on my side or maybe I don't have it setup all the way.  The certificate, Intermediate, and Root are installed in the Administration -> Certificates -> Certificate Store -> Server certificates section in Clearpass.  There is nothing in the "Service and Client certificate" tab. It looks like the root certificate is installed in the "Trust list" section.

     

    Here's the device messages:

    IMG_0341.PNG

    BYOD.jpgScreen Shot 2019-11-04 at 9.49.09 AM.png

     



  • 2.  RE: Clearpass 802.1x users get certificate warning

    EMPLOYEE
    Posted Nov 04, 2019 01:34 PM

    This is completely normal. You should not be using tunneled EAP methods without pre-configuring clients. If you're not pre-configuring clients, their credentials are at risk.



  • 3.  RE: Clearpass 802.1x users get certificate warning

    Posted Nov 04, 2019 01:37 PM

    Hi Tim,

    Can you expand on your answer?  What is the prefered way to setup BYOD users?



  • 4.  RE: Clearpass 802.1x users get certificate warning
    Best Answer

    EMPLOYEE
    Posted Nov 04, 2019 01:54 PM

    Ideally, you'd want to be using EAP-TLS. If that's not possible, you'd need to push users through some sort of configuration wizard to properly configure their supplicant (Aruba offers a tool called QuickConnect and there's others out there as well, but if you're going to push the user through a wizard, you might as well just use EAP-TLS). Also keep in mind that using a supplicant provisioning tool doesn't prevent a user from manually connecting and putting their credentials at risk.

     

    So you're really left with EAP-TLS as the only realistic option. If you're not concerned about credential security for students, you could always leave them with the current deployment but I'd highly recommend you use a secure method for faculty/staff who generally have more privilged access.



  • 5.  RE: Clearpass 802.1x users get certificate warning

    Posted Nov 04, 2019 02:37 PM

    Ok thanks.  BYOD is considered Public and has very little access.  We use a PKI and EAP-TLS for faculty Wi-Fi. 

     

    So there's no way to stop those notices?  on iOS it looks like it's "Not Trusted."



  • 6.  RE: Clearpass 802.1x users get certificate warning

    EMPLOYEE
    Posted Nov 04, 2019 03:00 PM

    No, because it's not trusted. There is no security association between an ESSID and a server certificate. The message is asking the user to confirm they want to send their credentials to the server. Completely normal.