Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Exporting OnBoard certificates

This thread has been viewed 14 times

  • 1.  Exporting OnBoard certificates

    Posted May 03, 2023 06:36 AM

    I have a fleet of Ubuntu desktops that have been added to the network via the CPPM OnBoard process.  I find that the certificate issued by ClearPass ito the Ubuntu desktop can be exported and imported to another Ubuntu desktop.. is there anyway we can make the certificate unexportable? Also we can integrate the onboard certificate and see the private key. Can this be stopped



    ------------------------------
    Con
    Stathis
    ------------------------------


  • 2.  RE: Exporting OnBoard certificates

    EMPLOYEE
    Posted May 05, 2023 06:11 AM

    Don't think that is possible if users have root access. If you can store the certificate in a TPM or smart card, then it may be possible, but unsure if that's possible with Ubuntu.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Exporting OnBoard certificates

    Posted May 10, 2023 06:20 AM
    Hi Herman,
    Thank you for your answer. It aligns with my discovery to date.
    The next question is "can CPPM make the cert unexportable?" - after all, it is the issuing CA in this scenario.

    Kind Regards,
    Con Stathis
    Director 
    ENACOM
    +61 427 709 101




    Original Message


  • 4.  RE: Exporting OnBoard certificates

    EMPLOYEE
    Posted May 12, 2023 05:23 AM

    I don't think that works in Ubuntu like that, as I don't think there a certificate store like in Windows/Mac, but not an expert on this one.

    You may ask Aruba Support if they know if it's possible, although I have not seen a configuration option for it. I would think having the certificate non-exportable for any platform that supports it would be the preferred way.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Exporting OnBoard certificates

    Posted May 12, 2023 05:28 AM

    Thanks Herman,

    I'll take it up with TAC.  Agreed, it would be nice to have the certificate non-exportable for all platforms that support it.

     

    Kind Regards

    Con Stathis

    Director

    Mobile:    +61 427 709 101

    eMail:    cstathis@enacom.com.au

    escription: <a href=image003.jpg@01CC0AB7.E0EE5370">

     




    Original Message