Security

We have a few Konica printers - these all support wired 802.1X and are configured for EAP TLS but present a self-signed certificate.  We would rather than have to manually install individual certificates from our internal CA on all printers.

 

We're wanting to auth these via ArubaOS switches (16.08) against a [new] ClearPass 6.8.2 cluster.

 

Hopefully I'm asking the right question...  Being self-signed, there's no way to put a root cert in the trusted cert store - is there any way to bring these in as unknown endpoints, then accept them and allow them to perform 802.1X rather than falling back to MAC auth?

 

Thanks.

There should be an option to import root CA cert on the printer.

ClearPass should have the same root certificate/chain trusted.

 

Not sure if it it applicable to your printer model, following link may help:

https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0455.html

Thanks JayBee. I have our root CA and issuing CA in the CPPM trusted store. I have also tried uploading these to the printer but no dice.

I believe the problem is the self signed client auth cert that is submitted - as it doesnt come from a chain that CPPM trusts - but I can’t see anywhere to turn this off.

Thanks,
Ben.

You'd have to import every self-signed certificate into the CPPM trust list.

 

You're better off using PEAP with a local user account.

Thanks for confirming this Tim, this is what I feared, yet suspected.

 

Cheers,

Ben.