Security

Reply
Highlighted
Contributor II

Wired 802.1X with a Self-Signed Client Auth Certificate

We have a few Konica printers - these all support wired 802.1X and are configured for EAP TLS but present a self-signed certificate.  We would rather than have to manually install individual certificates from our internal CA on all printers.

 

We're wanting to auth these via ArubaOS switches (16.08) against a [new] ClearPass 6.8.2 cluster.

 

Hopefully I'm asking the right question...  Being self-signed, there's no way to put a root cert in the trusted cert store - is there any way to bring these in as unknown endpoints, then accept them and allow them to perform 802.1X rather than falling back to MAC auth?

 

Thanks.


Accepted Solutions
Highlighted
Moderator

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

You'd have to import every self-signed certificate into the CPPM trust list.

 

You're better off using PEAP with a local user account.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

There should be an option to import root CA cert on the printer.

ClearPass should have the same root certificate/chain trusted.

 

Not sure if it it applicable to your printer model, following link may help:

https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0455.html

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Highlighted
Contributor II

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

Thanks JayBee. I have our root CA and issuing CA in the CPPM trusted store. I have also tried uploading these to the printer but no dice.

I believe the problem is the self signed client auth cert that is submitted - as it doesnt come from a chain that CPPM trusts - but I can’t see anywhere to turn this off.

Thanks,
Ben.
Highlighted
Moderator

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

You'd have to import every self-signed certificate into the CPPM trust list.

 

You're better off using PEAP with a local user account.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Contributor II

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

Thanks for confirming this Tim, this is what I feared, yet suspected.

 

Cheers,

Ben.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: