Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Deploying additional certificates

This thread has been viewed 1 times

  • 1.  Deploying additional certificates

    Posted Jun 09, 2016 04:04 PM

    I am trying to determine if I can do the following using a combination of CPPM, QuickConnect and/or OnBoard.

     

    We need to deploy a number of third party certificates to device as part of the onboarding process to a WiFi Network. These certificates are needed for our web filtering product to be able to properly decrypt web traffic that uses SSL.

     

    We have used QuickConnect before to enable onboarding and deployment of the certificates that are required for the WiFi SSID itself, but in this case these certificates are for our separate web filtering product (SmoothWALL).



  • 2.  RE: Deploying additional certificates

    EMPLOYEE
    Posted Jun 09, 2016 04:06 PM
    You could add them in as trusted certs, but just be aware that they will be
    added to the trust list for the 802.1X profile.


  • 3.  RE: Deploying additional certificates

    Posted Jun 09, 2016 04:11 PM

    Thanks for your reply - sorry just to be clear are you talking about using QuickConnect or using OnBoard?

     

    Also what is the downside of them being added to the trust list for the 802.1X profile?

     

    We just need a method to "force" the certificate onto BYOD type devices to ensure the web filter decryption works seamlessly. At the moment without the certificate the end client gets a trust warning and on a lot of smart phones that effectively makes it looks like they have no internet conneciton, especially to less savy end users. The devices are not on our domain and also not managed by an MDM so searching for other solutions.



  • 4.  RE: Deploying additional certificates

    EMPLOYEE
    Posted Jun 09, 2016 04:14 PM
    It should work for both. You'll need to test it out though.



    The downside is you're telling the client that the firewall's certificate is
    valid for EAP-based authentication. Not a huge deal, but not ideal either.


  • 5.  RE: Deploying additional certificates

    Posted Jun 09, 2016 04:45 PM

    Ah ok. I think that is an acceptable downside based on the fact I can't think of another way of getting around our problem!

     

    I would be interested to know if anyone else has used any part of ClearPass to get around the same type of issue. Publishing certificates to devices that are not on a domain or MDM managed... Cheers.

     

     



  • 6.  RE: Deploying additional certificates

    EMPLOYEE
    Posted Jun 09, 2016 04:14 PM
    It should work for both. You'll need to test it out though.



    The downside is you're telling the client that the firewall's certificate is
    valid for EAP-based authentication. Not a huge deal, but not ideal either.