Security

Reply
Occasional Contributor II

Terminating EAP-TLS on ClearPass

Dear Community,

 

1. is it possible to terminate EAP-TLS  based on only the CA certificate without a connection to the radius/ca server that produced the client certificate ..?

 

** if CA certificate is enough for authentication how can we update the

CPPM on revoked certificate ..?

 

2. can we use the ClearPass to create client certificates for the devices?

 

* it would be nice to get a related best practice documents / tutorials.. 

 

 

Thanks a lot!

Shay

Guru Elite

Re: terminating EAP-TLS on clearpass

1) Yes, but not having revocation checks really defeats the point

2) Yes, the ClearPass Onboard module is for issuing certificates to unmanaged devices.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: terminating EAP-TLS on clearpass

Hi Cappalli , 

 

thank you for your quick response :)

 

so is there any way to manually load updates with the revoked certificates?

 

 

Guru Elite

Re: terminating EAP-TLS on clearpass

You need to use your CA's OCSP responder (or you can use the CA's CRL, but OCSP is recommended).

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: terminating EAP-TLS on clearpass

by saying "need to use your CA's OCSP responder" 

how can i use it if i cant configure any connectivity to the ca/radius .. ? 

is it possible to use the ClearPass as OCSP responder by loading manually updates from the CA server to the ClearPass server ? 

 

Guru Elite

Re: terminating EAP-TLS on clearpass

No. ClearPass is an OCSP responder for it's own CAs only.

 

ClearPass would need to communicate with your CA's OCSP responder or CRL endpoint.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: