Security

Hi Airheads,

 

I've got a customer using Onboard to enrol devices and push certificates for their corporate WLAN. 

 

We are adding some new servers to the cluster and need ot publish the new server certificate trust to existing devices for the new servers. 

 

Trying to work out the cleanest way to do this. Was thinking of deleting the devices from Onboard (not revoking) and then setting and role mapping rule to check if Onboard Owner exists or something along those lines and if it does not then pushing the redirect to the registration page. 

 

Struggling to find clear info on what attributes i can call from Onboard Devices Repository to do this. 

 

Anybody been through this ?

 

Scott

 

All nodes in the cluster should have the same EAP server certificate so you should not need to do anything.

current customer setup is indiviual certs for the two existing servers. two new servers are being built and these have different certs so i'm kind of forced to update them. 

This is not recommended. I would highly recommend you take of the two
existing certs and use it on the new nodes.

would certainly be easier than re-enrolling everyone. 

 

my only concern is confusion later when they certificate hostname is different to the servers that it is installed on. 

The hostname has no relationship to EAP server identity validation.

I agree with Tim on this, use the same EAP cert and it is not related to the hostname of the (ClearPass) server, so that is why you can use the same on all servers.

 

In case you need to go through a re-onboarding process, one approach that works is to create a new, additional Onboard CA. That allows you to change names, certificate/CA lifetimes and other settings in the same run. Then have that CA issue the new client certificates. If a client authenticates with a certificate issued by the old CA, you can redirect the client into the provisioning process to get a new cert enrolled. If you see the message that the client is already provisioned, you can follow the link which adds something like reprovision=1 to the URL. If you add that in the redirect URL, users will no longer see that page.

 

In this way, all users can be provisioned with a new client certificate and Onboard settings.

 

Again, probably not needed in your case, but may be useful for others.

thanks tim & herman for the suggestions. I'm sold on the single cert idea, just trying to make an existing setup work with as little friction as possible. 

 

i like your approach herman, worth considering if i do end up needing to push. have settled on using the old cert until it expires and then pushing a new one in 12 months at which time everyone will have naturally re-enrolled. Pushing the new cert hostname in the onboard profile now so its good to go come expiry time. 

 

Scott