Security

Hi folks,

I'm working with a customer at the moment who is merging two separate networks with separate Active Directory infrastructures and legacy Aruba networks. We are deploying a new centralised infrastructure with CPPM for authentication. However both AD domains are remaining separate with no trust relationship configured, and completely separate PKIs. At the moment, clients in both networks are using EAP-TLS with certificate auto-enrollment configured. Moving forward, we would like to continue with EAP-TLS if possible, but EAP-PEAP is a fallback option.

The obvious solution is to push out the self-signed CPPM server cert to all the clients and use EAP-PEAP. Is there a relatively straightforward way of setting this up which would still allow us to use EAP-TLS and certificate auto-enrollment? Could CPPM be the root CA, trusted by the PKI in each domain, for example?

I would first read Danny Jump's Certificates 101 on the page here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

Here is what needs to happen on a basic level:

- CPPM needs to have the CA certificates that issued EAP-TLS certificates for both domains in its trusted cert list

- You probably need to turn of OCSP in your EAP-TLS authentication method in ClearPass, unless the OCSP URL is properly embedded in both certificates and those servers are; reachable by CPPM.

- Client devices in both domains need to have the CPPM server certificate in their trust list.

EDIT: CPPM does not need to be the root CA of both domains; it just needs to have the CA of each domain in CPPM's trusted server list, and the clients need to have CPPM's server certificate in their trust list.  You should be able to do EAP-TLS for both domains using CPPM via that strategy.

Thanks Colin - I'll have another read through the Certificates 101 guide and see what we can do.