Security

Guys,

I am very sorry to ask this question :smileyembarrassed: but I cannot seemt to get clarity on this from what I have read.  

In order to on board apple devices are we saying that I need to have my CA (i.e. clearpass)  in the chain on trust to a public CA?  Also, I mean if I was a public CA (such as verisign)  I would be very hesitant to provide a certificate for a subordinate CA I did not manage as effectively you can issue as many certs and you like and there would be no profit for me?

So my captive portal need a cert signed by a well known ca

http://support.apple.com/kb/ht5012

Bu when I issue a certifcate for the TLS part of dot1x?  Can this just come from CPPM as a standalone and it issues a PKCS12 or something as part of the onboarding workflow?

I guess I am missing something somewhere.  Any help greatly appreciated

thanks

As part of the onboarding process, we also send down the trusted server cert (including trust chain if available) to the device.  Then, when authenticating with TLS, the client will trust the authenticator.  With this scenario, you can provide onboarding services for your endpoints contained entirely within Clearpass.  

I believe the question or confusion is around redirecting to a HTTPS page.  In this instance, the iOS device likes the server cert to be signed by a trusted CA (like Verisign).  If not, you will get a popup that will ask you to continue since the device doesn't trust the server cert being presented.  

Seth,

I really appreciate the response.  So would I be right in saying

• The web cert needs to be trusted by a public CA trusted by apple
• The EAP-TLS client authentication certificate can be issued (or signed) from the a local standalone CPPM CA used in radius?

thanks very much

Yes...that's correct.  In addition, our next release will further improve this flexibility.