Security

Hi all, 

I'm trying to deploy Onboard to circumvent the new requirement for Android (11 up versions) devices in regards to certificate validation.  This devices are employee's own and will be connecting to an internal corp SSID (not Guest).  

Question - the ClearPass csr does it have to be sign by a pub CA or it can be internal? I'm thinking it has to be public since Android devices will not trust our internal cert.  I would like some validation before moving forward.   

Also, I'm curios what are you folks doing in regards to this? 

Cheers,
MG

------------------------------
Mauricio Guzman
------------------------------

Your EAP server certificate should always be issued from a PKI your organization controls.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Nov 03, 2021 09:11 AM
From: Mauricio Guzman
Subject: Onboard + Android 11 up & certificate validation

Hi all, 

I'm trying to deploy Onboard to circumvent the new requirement for Android (11 up versions) devices in regards to certificate validation.  This devices are employee's own and will be connecting to an internal corp SSID (not Guest).  

Question - the ClearPass csr does it have to be sign by a pub CA or it can be internal? I'm thinking it has to be public since Android devices will not trust our internal cert.  I would like some validation before moving forward.   

Also, I'm curios what are you folks doing in regards to this? 

Cheers,
MG

------------------------------
Mauricio Guzman
------------------------------

In addition to the advice to use an internal CA for the RADIUS EAP certificate, you should use EAP-TLS with client certificates and use some kind of provisioning toolings like an MDM or ClearPass Onboard to get your root CA pushed to the clients, and get the clients securely configured.

Starting with Android 11, Google is enforcing secure connections (which is good) and that requires the certificates to be in place, and that is unfortunately not so simple to do. But at least it prevents end-users from configuring 'Do not validate certificate' and create an insecure setup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 03, 2021 09:11 AM
From: Mauricio Guzman
Subject: Onboard + Android 11 up & certificate validation

Hi all, 

I'm trying to deploy Onboard to circumvent the new requirement for Android (11 up versions) devices in regards to certificate validation.  This devices are employee's own and will be connecting to an internal corp SSID (not Guest).  

Question - the ClearPass csr does it have to be sign by a pub CA or it can be internal? I'm thinking it has to be public since Android devices will not trust our internal cert.  I would like some validation before moving forward.   

Also, I'm curios what are you folks doing in regards to this? 

Cheers,
MG

------------------------------
Mauricio Guzman
------------------------------

Hi Herman, this is great information, I have watched few of your videos also. Little confused about the Onboard. If I have Android 11+ and I am using Clearpass onboard, I will still have to initially go through accepting the private certificate. How will that work? Wouldn't I run into the same issue?

------------------------------
Mohammad Ali
------------------------------

Original Message:
Sent: Nov 04, 2021 06:18 AM
From: Herman Robers
Subject: Onboard + Android 11 up & certificate validation

In addition to the advice to use an internal CA for the RADIUS EAP certificate, you should use EAP-TLS with client certificates and use some kind of provisioning toolings like an MDM or ClearPass Onboard to get your root CA pushed to the clients, and get the clients securely configured.

Starting with Android 11, Google is enforcing secure connections (which is good) and that requires the certificates to be in place, and that is unfortunately not so simple to do. But at least it prevents end-users from configuring 'Do not validate certificate' and create an insecure setup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 03, 2021 09:11 AM
From: Mauricio Guzman
Subject: Onboard + Android 11 up & certificate validation

Hi all, 

I'm trying to deploy Onboard to circumvent the new requirement for Android (11 up versions) devices in regards to certificate validation.  This devices are employee's own and will be connecting to an internal corp SSID (not Guest).  

Question - the ClearPass csr does it have to be sign by a pub CA or it can be internal? I'm thinking it has to be public since Android devices will not trust our internal cert.  I would like some validation before moving forward.   

Also, I'm curios what are you folks doing in regards to this? 

Cheers,
MG

------------------------------
Mauricio Guzman
------------------------------

Hi Mohammad, did you ever get this working?

Original Message:
Sent: Feb 15, 2022 09:30 AM
From: mali77
Subject: Onboard + Android 11 up & certificate validation

Hi Herman, this is great information, I have watched few of your videos also. Little confused about the Onboard. If I have Android 11+ and I am using Clearpass onboard, I will still have to initially go through accepting the private certificate. How will that work? Wouldn't I run into the same issue?

------------------------------
Mohammad Ali

Original Message:
Sent: Nov 04, 2021 06:18 AM
From: Herman Robers
Subject: Onboard + Android 11 up & certificate validation

In addition to the advice to use an internal CA for the RADIUS EAP certificate, you should use EAP-TLS with client certificates and use some kind of provisioning toolings like an MDM or ClearPass Onboard to get your root CA pushed to the clients, and get the clients securely configured.

Starting with Android 11, Google is enforcing secure connections (which is good) and that requires the certificates to be in place, and that is unfortunately not so simple to do. But at least it prevents end-users from configuring 'Do not validate certificate' and create an insecure setup.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 03, 2021 09:11 AM
From: Mauricio Guzman
Subject: Onboard + Android 11 up & certificate validation

Hi all, 

I'm trying to deploy Onboard to circumvent the new requirement for Android (11 up versions) devices in regards to certificate validation.  This devices are employee's own and will be connecting to an internal corp SSID (not Guest).  

Question - the ClearPass csr does it have to be sign by a pub CA or it can be internal? I'm thinking it has to be public since Android devices will not trust our internal cert.  I would like some validation before moving forward.   

Also, I'm curios what are you folks doing in regards to this? 

Cheers,
MG

------------------------------
Mauricio Guzman
------------------------------