Community Home > Discuss > Technology > Security > Re: Wired 802.1X with a Self-Signed Client Auth Ce...

Security

Reply
nz_nut
Occasional Contributor II
nz_nut

Wired 802.1X with a Self-Signed Client Auth Certificate

‎08-28-2019 03:02 AM

We have a few Konica printers - these all support wired 802.1X and are configured for EAP TLS but present a self-signed certificate.  We would rather than have to manually install individual certificates from our internal CA on all printers.

 

We're wanting to auth these via ArubaOS switches (16.08) against a [new] ClearPass 6.8.2 cluster.

 

Hopefully I'm asking the right question...  Being self-signed, there's no way to put a root cert in the trusted cert store - is there any way to bring these in as unknown endpoints, then accept them and allow them to perform 802.1X rather than falling back to MAC auth?

 

Thanks.

Alert a Moderator
Message 1 of 5
619 Views
Reply
0 Kudos
MVP
MVP
Jibran.Aziz

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

‎08-28-2019 03:49 AM

There should be an option to import root CA cert on the printer.

ClearPass should have the same root certificate/chain trusted.

 

Not sure if it it applicable to your printer model, following link may help:

https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0455.html

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Alert a Moderator
Message 2 of 5
604 Views
Reply
0 Kudos
Highlighted
nz_nut
Occasional Contributor II
nz_nut

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

‎08-28-2019 12:21 PM

Thanks JayBee. I have our root CA and issuing CA in the CPPM trusted store. I have also tried uploading these to the printer but no dice.

I believe the problem is the self signed client auth cert that is submitted - as it doesnt come from a chain that CPPM trusts - but I can’t see anywhere to turn this off.

Thanks,
Ben.
Alert a Moderator
Message 3 of 5
566 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

‎08-28-2019 12:45 PM - edited ‎08-28-2019 12:46 PM

You'd have to import every self-signed certificate into the CPPM trust list.

 

You're better off using PEAP with a local user account.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 4 of 5
562 Views
Reply
0 Kudos
nz_nut
Occasional Contributor II
nz_nut

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

‎08-28-2019 01:10 PM

Thanks for confirming this Tim, this is what I feared, yet suspected.

 

Cheers,

Ben.

Alert a Moderator
Message 5 of 5
554 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2019 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium