Security

Reply
Occasional Contributor II

Wired 802.1X with a Self-Signed Client Auth Certificate

We have a few Konica printers - these all support wired 802.1X and are configured for EAP TLS but present a self-signed certificate.  We would rather than have to manually install individual certificates from our internal CA on all printers.

 

We're wanting to auth these via ArubaOS switches (16.08) against a [new] ClearPass 6.8.2 cluster.

 

Hopefully I'm asking the right question...  Being self-signed, there's no way to put a root cert in the trusted cert store - is there any way to bring these in as unknown endpoints, then accept them and allow them to perform 802.1X rather than falling back to MAC auth?

 

Thanks.

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

There should be an option to import root CA cert on the printer.

ClearPass should have the same root certificate/chain trusted.

 

Not sure if it it applicable to your printer model, following link may help:

https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0455.html

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | CWNA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Occasional Contributor II

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

Thanks JayBee. I have our root CA and issuing CA in the CPPM trusted store. I have also tried uploading these to the printer but no dice.

I believe the problem is the self signed client auth cert that is submitted - as it doesnt come from a chain that CPPM trusts - but I can’t see anywhere to turn this off.

Thanks,
Ben.
Guru Elite

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

You'd have to import every self-signed certificate into the CPPM trust list.

 

You're better off using PEAP with a local user account.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Wired 802.1X with a Self-Signed Client Auth Certificate

Thanks for confirming this Tim, this is what I feared, yet suspected.

 

Cheers,

Ben.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: