10-11-2019 11:25 AM - edited 10-11-2019 11:27 AM
Single ClearPass Cluster with two PKIs:
- Third-Party PKI for BYOD Devices - Ex:SecureW2 or Ruckus CloudPath
- Microsoft-PKI ADCS for Managed Devices
We're currently looking into adding EAP-TLS to our 802.1x school SSID - which currently utilizies PEAP-MSCHAPv2. During this conversation, some IT Groups have shown interest in adding EAP-TLS for managed devices as well through use of Microsoft-PKI with ADCS-GPO.
I've been reviewing several posts that suggest keeping the PKIs separate for BYOD and Managed Devices is ideal and preferable - (Just Add both CAs to the Trusted List) - while other posts including 101 Certificates TechNote - mentioned only a single 802.1x/Radius CA can be specified - but I may be wrong on that or my interpreation isn't the best - so I'm not sure if this is possible? ClearPass Administration is a different group and they seemed to agree that only one could be specified as well.
Solved! Go to Solution.
10-11-2019 12:10 PM
EAP server certs and client identity certs do not need to be issued from the same chain. The supplicant just needs to be properly configured to trust the correct root and CN.