Security

Dear Community,

 

1. is it possible to terminate EAP-TLS  based on only the CA certificate without a connection to the radius/ca server that produced the client certificate ..?

 

** if CA certificate is enough for authentication how can we update the

CPPM on revoked certificate ..?

 

2. can we use the ClearPass to create client certificates for the devices?

 

* it would be nice to get a related best practice documents / tutorials.. 

 

 

Thanks a lot!

Shay

1) Yes, but not having revocation checks really defeats the point

2) Yes, the ClearPass Onboard module is for issuing certificates to unmanaged devices.

Hi Cappalli , 

 

thank you for your quick response :)

 

so is there any way to manually load updates with the revoked certificates?

 

 

You need to use your CA's OCSP responder (or you can use the CA's CRL, but OCSP is recommended).

by saying "need to use your CA's OCSP responder" 

how can i use it if i cant configure any connectivity to the ca/radius .. ? 

is it possible to use the ClearPass as OCSP responder by loading manually updates from the CA server to the ClearPass server ? 

 

No. ClearPass is an OCSP responder for it's own CAs only.

 

ClearPass would need to communicate with your CA's OCSP responder or CRL endpoint.

Tim, If I go to Administration --> Certificates --> Revocation LIsts and add the Distribution URL of my CA for CRL's and check "update whenever CRL is updated" that should be good too yes? I guess other than OCSP it's only as good as that CRL file get's updated on that Web Server, Yes? Why would OCSP be reccomended above that. Also do you have any OCSP AD/ClearPass app notes?