You won't be affected by your Public CA deprecating the Client Authentication EKU; unless you use their CA to issue client certificates, which would be very rare.
For Onboarding and the 802.1X authentication, the following certificates are relevant:
- HTTPS Server certificate on ClearPass; which is a server certificate so no need for Client Auth; this certificate is used to secure the web traffic during the onboarding process.
- The Onboard Root CA in ClearPass, this issues client certificates and is out of control/scope of your public certificate provider. This is a private PKI withing ClearPass.
- The client certificates, issued by the Onboard CA. These need Client Authentication EKU, but are issued by your/a private PKI so no problem there.
- The EAP Server Certificate on ClearPass, which also is a server certificate. This could be issued by your public CA, but in general with onboarding you would use a private CA/PKI to issue this certificate as there is no real benefit of using a public certificate and there are some challenges like validity time getting shorter and shorted by Public Certificate policies.
I would recommend to validate this with your HPE Aruba Networking partner, or other expert on this matter, but unless there are very specific circumstances, there is no reason to expect issues from the public CA stopping with Client Authentication EKU. There is even a good chance that your current certificate(s) doesn't even have that as you requested a server certificate. Note that it's an industry wide move to remove Client Authentication EKU from public certificates (where I believe more specific for CAs that also issue server certificates).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 07, 2025 11:45 AM
From: MP89
Subject: ClearPass onboard and Client Authentication function EKU
Yes, we are a University so many of the devices are byod. We use a open wifi ssid to let students onboard there devices and then they connect to the secure network afterwards.
Original Message:
Sent: Oct 07, 2025 11:35 AM
From: chulcher
Subject: ClearPass onboard and Client Authentication function EKU
Are you providing an 802.1X network where unmanaged devices are being allowed to authenticate? For instance, a network where users connect their personal mobile device?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 07, 2025 11:19 AM
From: MP89
Subject: ClearPass onboard and Client Authentication function EKU
This would be the RADIUS/EAP Server Certificate. It's currently a signed Cert provider the same as the HTTPS cert. I petty sure this is not going to be an issue but I figured it wouldn't hurt to ask.