Security

Hi,

 

I have a customer who wants just a basic EAP-PEAP for their byod, and for them it will be simply internet only after authenticating.

 

That is simple enough, but the problem is that they have an internal CA, so the devices won't have the RootCA installed.  I don't want devices to uncheck the 'validate server certificate' since that is an insecure config.  IT will probably install the RootCA for them, or we'll make available somewhere for them to do themselves.

 

I was wondering if there is some logic in Clearpass that I can build an enforcement rule to check if the device has installed and using the RootCA?

 

We'll be doing onboarding separately for non-domain devices that need access to the corporate network, so for those it is fine.

No, you can't check if it's there. It's a client-level construct. From the perspective of the server, it doesn't care about the Root CA on the device. It's a client-level check. Sometimes you'll get "unknown CA" as an alert in access tracker which is reported from the client which usually indicates they don't have it or they're configured with the wrong CA.

ok, got it.  I thought as much.

 

What about onboarding, but pushing a network config of EAP-PEAP?  Would that push the RootCA to the device during the process?  Would that consume an onboard licence, given a client cert has not actually been generated?

 

The only other time I've done this setup, the customer had a public cert, so the trust relationship was already there.

Are you doing single SSID onboarding?

Haven't quite decided on that yet.  It will likely be a separate ssid, or a link on the guest login page.

This is really what QuickConnect is designed for.

ok, that's fair enough.

 

Just so I'm clear, when you connect an iOS device to an EAP-PEAP connection, the error that pops up about the server not being trusted, once you accept, it is then trusted?  I mean if the device goes away and then there is a rogue ssid with rogue server, will it refuse to connect, or is it a case of the error pops up again?  Sorry, I'm not an Apple person.

 

Not sure about Android, or at least the versions I've tried, they just seem to accept any certificate without warning.

 

Anyhow, just to explain the implications to the customer and be able to offer Quickconnect if need be.

The box that pops up is not an error. It's a normal part of the PEAP process. Certificate trust with PEAP is per connection profile (per SSID). That dialog is simply saying, do you trust this server to send your credentials.

If you use QuickConnect, the profile is configured/installed in the background so they never see that box.

got it.  Quickconnect sounds like the way forward.

 

Thanks

ok, so the Quickconnect subscription, is it per user or per device?