Network Management

We are trying to use Peap/ Eap-Tls authentication for the enterprise ssid. I was sugested by a CP engineer to use eap/ Eap-Tls and push the cert to the serverer as well as the client devices. He did not give specification on the type of cert I need. Can we use a self signed CA cert on a production environment? We have multiple devices that would connect to the enterprise Ssid. We intended to push the cert on domain joined devices using a group policy. Or should we buy a public root CA? Appreciate the help. 

Take a look at the Certificates 101 Tech Note its a little dated but still perfectly valid for an EAP-TLS deployment. Generally, if you have control over the devices (such as corporate devices) then an internal CA/PKI is perfectly valid.

Original Message:
Sent: Jun 03, 2023 04:48 PM
From: Habtekrn
Subject: Clearpass enterprise Ssid with Eap-Tls

We are trying to use Peap/ Eap-Tls authentication for the enterprise ssid. I was sugested by a CP engineer to use eap/ Eap-Tls and push the cert to the serverer as well as the client devices. He did not give specification on the type of cert I need. Can we use a self signed CA cert on a production environment? We have multiple devices that would connect to the enterprise Ssid. We intended to push the cert on domain joined devices using a group policy. Or should we buy a public root CA? Appreciate the help. 

The minimum you would need:

• The client has a client certificate with the client authentication purpose
• The ClearPass server has a server certificate for server authentication with the server authentication purpose (it can be an SSL cert, quite frankly).
• The Clearpass Server has the CA cert for the CA that issues the client certificate imported in the ClearPass Trusted Certificate Authorities list
• The Clearpass Server has the CA cert for the CA that issued its own server certificate imported into the ClearPass Trusted Certificate Authorities list
• The Client has the CA cert for the CA that issues the ClearPass certificate's server certificate

In Clearpass if you use the EAP-TLS authentication method with everything unchecked, the 5 items in place on top should work.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 03, 2023 04:48 PM
From: Habtekrn
Subject: Clearpass enterprise Ssid with Eap-Tls

We are trying to use Peap/ Eap-Tls authentication for the enterprise ssid. I was sugested by a CP engineer to use eap/ Eap-Tls and push the cert to the serverer as well as the client devices. He did not give specification on the type of cert I need. Can we use a self signed CA cert on a production environment? We have multiple devices that would connect to the enterprise Ssid. We intended to push the cert on domain joined devices using a group policy. Or should we buy a public root CA? Appreciate the help.