The minimum you would need:
- The client has a client certificate with the client authentication purpose
- The ClearPass server has a server certificate for server authentication with the server authentication purpose (it can be an SSL cert, quite frankly).
- The Clearpass Server has the CA cert for the CA that issues the client certificate imported in the ClearPass Trusted Certificate Authorities list
- The Clearpass Server has the CA cert for the CA that issued its own server certificate imported into the ClearPass Trusted Certificate Authorities list
- The Client has the CA cert for the CA that issues the ClearPass certificate's server certificate
In Clearpass if you use the EAP-TLS authentication method with everything unchecked, the 5 items in place on top should work.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: Jun 03, 2023 04:48 PM
From: Habtekrn
Subject: Clearpass enterprise Ssid with Eap-Tls
We are trying to use Peap/ Eap-Tls authentication for the enterprise ssid. I was sugested by a CP engineer to use eap/ Eap-Tls and push the cert to the serverer as well as the client devices. He did not give specification on the type of cert I need. Can we use a self signed CA cert on a production environment? We have multiple devices that would connect to the enterprise Ssid. We intended to push the cert on domain joined devices using a group policy. Or should we buy a public root CA? Appreciate the help.