Security

Reply
Highlighted

Single ClearPass Cluster - with BYOD on Third Party PKI and Managed on Microsoft PKI

Single ClearPass Cluster with two PKIs:

  • Third-Party PKI for BYOD Devices - Ex:SecureW2 or Ruckus CloudPath
  • Microsoft-PKI ADCS for Managed Devices

We're currently looking into adding EAP-TLS to our 802.1x school SSID - which currently utilizies PEAP-MSCHAPv2. During this conversation, some IT Groups have shown interest in adding EAP-TLS for managed devices as well through use of Microsoft-PKI with ADCS-GPO.

 

I've been reviewing several posts that suggest keeping the PKIs separate for BYOD and Managed Devices is ideal and preferable - (Just Add both CAs to the Trusted List) - while other posts including 101 Certificates TechNote - mentioned only a single 802.1x/Radius CA can be specified - but I may be wrong on that or my interpreation isn't the best - so I'm not sure if this is possible? ClearPass Administration is a different group and they seemed to agree that only one could be specified as well.

Guru Elite

Re: Single ClearPass Cluster - with BYOD on Third Party PKI and Managed on Microsoft PKI

EAP server certs and client identity certs do not need to be issued from the same chain. The supplicant just needs to be properly configured to trust the correct root and CN.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Re: Single ClearPass Cluster - with BYOD on Third Party PKI and Managed on Microsoft PKI

Thanks cappalli. It's starting to make a lot of sense now :-).

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: