Hi
Self signed is never recommended, only case where it possibly can be utilized is in your personal lab with a handfull of clients. Anything else should have a signed certificate.
Trying to do 802.1x without managed clients is not the best idea.
The reasons are these:
- You must distribute the trusted root certificate
- You need to get all devices to have this certificate trusted for EAP
- Configure a correct 802.1x authentication profile using correct authenticateäion method. EAP-TLS is preferred.
- Possibly distribute a client authentication certificate
- EAP-PEAP for authentication with username and password is considered a legacy method and isn't recommended to implement for security reasons.
With unmanaged clients you are in the risk of creating a support nightmare.
ClearPass Onboard can be a solution to distribute the needed certificates and 802.1x profiles to different client device types like Windows, Mac OS X, Android and Apple iOS.
ClearPass Onboard requre a separate license, one license per user. One user can have multiple devices onboarded.
I can highly recommend to contact an Aruba partner or Aruba SE to get all aspects on your specific environment analysed and probide the best solution in your case.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jan 14, 2024 11:32 AM
From: dpjw36
Subject: Is it possible to use self-signed cert for Radius authentication using CPPM?
Hi Jonas,
Thanks for your explanation. However, my client is education sector. They would require a WiFi solution with Radius authentication. Since we can't distribute the Radius server certificate to non-domain clients (no onboarding), is it recommended to use self-signed certificate then? Any disadvantages on this?
Original Message:
Sent: Jan 14, 2024 05:06 AM
From: jonas.hammarback
Subject: Is it possible to use self-signed cert for Radius authentication using CPPM?
Hi
If you are refering to self signed Radius certificate in ClearPass, yes its possible. But definitely not recommended.
That's because all clients must trust the Radius server certificate to be able to authenticate. To be able to trust the certificate it must be installed in the trust list of each client, and when it's time to renew the certificate the proceduremust be repeated.
Better to utilize the CA in ClearPassand issue a server certificate and distribute the ClearPass CA certificate to the clients.
If you refer to self signed client certificates, I don't think it's possible to use for client authentication.
------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 14, 2024 03:43 AM
From: dpjw36
Subject: Is it possible to use self-signed cert for Radius authentication using CPPM?
Hi, I'm just wondering is it possible to use self-signed certificate for 802.1x authentication using CPPM and wireless controller?