Security

Hello everyone.

I got this client interested in clearpass but he does not own a CA.

 

I was wondering if anyone used the clearpass as CA without the onboard? i mean he just want the policy manager features... he is not interested in te onboard...

 

It would be more advisable that he get a certificate from Verisign or godaddy?

What would be the best recommendation for this situation

Client = has no CA

He is buying Cleapass but just for the policy manager so he will just have 25 enterprises license... in which he wants to use for the clearpass guest.

 

I was thinking that would be easy that he just buy the certificate from godaddy or something like it but well i have never used the Clearpass as CA.

 

Any advice regarding this?

 

Cheers

Carlos

Do they want to issue client certs or do you just need the server PEAP
cert?


Sent from my BlackBerry Z10

Just for the PEAP...

The things is that i would have to tell then that they need to buy a certifacate...

 

Actually i just did a deployment of EAP PEAP some months ago with windows nps... now they were looking what the clearpass policy manager can do and they want it for more granular rules.... and now well i was thinking that if i tell them that they need to buy another certificate that would not be really nice haha....thats why im asking... but if its the recommended option for this situation well ill do it

If they don't want to buy a publicly signed server cert (which I highly
recommend they do), you can just create self-signed certs for the ClearPass
servers. You'll see a server cert option under Certificates and then the
option to create a self-signed cert.

In the self-signed scenario, there's no CA needed in the traditional sense
of the word. The CA in ClearPass is used for issuing client certificates.


Sent from my BlackBerry Z10

So i guess that when the user connect for the first time he will just install the truested root certification authority....right?

why would you highly recommend buying one? any explanation? im dont know that much of certificates just the basics...

A publicly signed certificate sets off much fewer "flags" in the client OS
when presented to the user because they most likely already have the
certificate chain installed in their key store.

In my experience, it's just a better experience for the end user.

Sent from my BlackBerry Z10

Do you mean that it might give you issues with some other OS like for example apple IOS or Androids?

Have you experience issues by not using a pulibc certificate? in a similar scenario?

It all comes down to trust when using PEAP.

 

Most devices now a days will ask you if you want to trust a new cert.

 

You do don't have to have a publicly signed cert in CPPM unless you are concerned about web SSL for onboarding or guest access. 

 

If you have already deployed NPS with that customer you can still keep that in place and have cppm be an Intermediate and have the NPS sign CPPMs cert. 

With PEAP from the user/device perspective, all the cert is doing is
telling the client who it is and making sure the client trusts it before
sending credentials to it.


Sent from my BlackBerry Z10

Well i had my clearpass with a issue certifcate of my company CA(well my testing clearpass) and i did selft signed certificate, it crate it own certificate and now i cannot connect to it anymore.. it does not even ask me if i want to add it to my computer i mean to the trusted root :(

what type of device are you using.

im using a windows 7 machine

Did you change any of the default settings? 

 

Microsoft is not the easiest device to use when setting up PEAP. You will have to manually change the setting to not use the machines credentials, etc.

 

If you have an IOS device handy they are the easiest to use for testing purposes. Also what errors are you seeing in access tracker. Make sure your service is setup correctly. 

hah you are right... my android connected right away.....

 

So in a client enviroment which has AD i would need to instruct the machines to not use their credentials?

Yes,

 

Most customers either have a how-to page on setting up the client. You can find a ton of them on the web. Or if the customer wants to make it easy on the users they can either use OnBoarding or Quick connect (Its what OnBoard is built on but its a much lower cost but no certs on the fly).

Ill just tell him to buy a new certificate

This seems like  a lot of trouble just for that...

 

Its not the cert that is the issue there. Its the OS's default settings that are the issue. Microsoft is the only OS that its default .1x settings are machine auth.

When you mean that its the default the machine authentication do you mean that i manually have to put onthe advanced settings of the SSID specify authentication mode user authetnication? it jsut that well i can not connect my computer still... i can connect my androids devices with no issues thought

In each of the clients they will have to change the advance settings in two places.

 

well i though that when you said that but since is not working yet i though it was somethign else :(

 

look

 

 

The default in this last one is use machine or user authentication i changed it to user authentication... but still does not work...

 

Cheers

Carlos

The other question i got is that if you can use a normal SSL certificate the ones you use for the webservers for this on the clearpass? for the eap peap authentication? at lesat it works fine on the NPS... but don tknow in the clearpass...

 

Which you buy guys?

Do you buy the one that is speceifically for wireless? there is one in verisign i think that is specifcially for  this but its expensive...

 

Also at least when you got a your own CA i know that i just need to request a certificate in the server with the machine template and thats it!, works fine in your nps and your clearpass

 

Cheers

Carlos

Try unchecking the validate server cert on your first screen shot

Also what is access tracker saying?

I actually gave up... as i got other things to test i just put my certifcate that i requested for the clearpass...

 

But it would be a great help if you could asnwer the other question i made about the certificates that if i can use those ssl certificates for webservers on the clearpass for eap peap..... at least it works on NPS but what about in the clearpass?

 

Cheers

Carlos

Yes it does.

I will let others comment on vendors they use. I need to stay neutral working for aruba.

A cheap GoDaddy SSL certificate will work fine. Also, if these machines
are a member of the domain, you can use group policy to automagically
configure the supplicant and set it to user authentication and select the
correct trusted CA.


Sent from my BlackBerry Z10

It's not really a technical issue, it's a people issue. If your users are
people who don't read things and just click yes, then you probably won't
have an issue.

If you have people that read all of the fine print, then they might be
confused when the OS says the cert is not signed by a trusted CA.

Sent from my BlackBerry Z10

They don't necessarily have to install it, they just need to accept it and
the trust will be saved in the connection profile.


Sent from my BlackBerry Z10

If they bought a certificate for the previous NPS install, why not just export the certificate (with private key) and import it into ClearPass?  That way if they have policies (GPO, MDM or otherwise) setup to trust and look for that particular certificate, there would be no changes.  iOS is sometimes picky and will notice it is on another server and prompt the user to accept the first time.

 

Either way, the choice to buy or use a self-signed certificate for PEAP authentication is up to the customer and what would be acceptable to their users.   Despite buying a certificate from a trusted authority, wireless supplicants will usually prompt the user to accept the certificate regardless of whether they have the root CA trusted.   Using GPO, MDM, or some other method of specificing the specifics of the wireless profile can alleviate this.

 

Lastly, consider the CN/common name of the certificate as it will also be used for ClearPass Guest if you use HTTPS.   In this case, using a trusted CA is recommended to alleviate random browsers from prompting users to accept a self-signed certificate.