User's Manual
Field Description
Certificate Authority (Required) You may select a different certificate authority (CA) if one has been
created. This drop-down list originally contains a single certificate authority by
default. If additional certificate authorities are created, they are included in this
drop-down list (see "Creating a New Certificate Authority" on page 98).
Signer (Required) Select the source to use for signing TLS client certificates. Options
include Onboard Certificate Authority and Active Directory Certificate
Services (ADCS). If Active Directory Certificate Services is chosen, the ADCS URL
and ADCS Template rows are added to the form. ACDS can only be used with
certificate-based authentication; it cannot be used with username/password
authentication.
ADCS URL (Required) If Active Directory Certificate Services was chosen in the Signer field,
enter the URL of the ADCS server in the field. This URL should be the Web interface
for ADCS, and is typically http://<server>/certsrv/.
ADCS Template (Required) If Active Directory Certificate Services was chosen in the Signer field,
enter the name of the template to use when requesting the certificate. If the name
is not known, you can use the default name of "user".
Key Type (Required) Specifies the type of private key that should be created when issuing a
new certificate. You can select one of these options:
l 1024-bit RSA – created by server: Lower security.
l 1024-bit RSA – created by device: Lower security. Uses SCEP to provision the
EAP-TLS certificate.
l 2048-bit RSA – created by server: Recommended for general use.
l 2048-bit RSA – created by device: Recommended for general use. Uses SCEP
to provision the EAP-TLS certificate.
l 4096-bit RSA – created by server: Higher security.
l X9.62/SECG curve over a 256 bit prime field - created by server
l NIST/SECG curve over a 384 bit prime field - created by server
See Note below this table.
Unique Device Credentials Includes the username as a prefix in the device's PEAP credentials.
Table 28: Device Provisioning Settings, General Tab, Identity Area
Using a private key containing more bits will increase security, but will also increase the processing time required to
create the certificate and authenticate the device. The additional processing required will also affect the battery life
of a mobile device. It is recommended to use the smallest private key size that is feasible for your organization. The
“created by device” options use SCEP to provision the EAP-TLS device certificate, so the private key is known only to
the device rather than also known by the user. When a “created by device” option is selected, the generated key is
used instead of a username/password authentication defined in Network Settings.
Field Description
Authorization Method Authorization method for devices. Options include AppAuth and RADIUS.
Configuration Profile Configuration profile to provision to devices. All configuration profiles that have
been created are included in this list. A configuration profile specifies an
application set, Exchange ActiveSync settings, network settings, passcode policy,
VPN, and other settings. For more information, see "Onboard Configuration" on
page 130.
Maximum Devices Enter a number to limit the maximum number of devices that each user may
Table 29: Device Provisioning Settings, General Tab, Authorization Area
Dell Networking W-ClearPass Guest 6.4 | User Guide Onboard | 171