Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
919293949596979899100
The Onboard CA issues certificates for several purposes:
l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.
n The identity information in the profile signing certificate is displayed during device provisioning.
l One or more Server Certificates may be issued for various reasons typically, for an enterprise’s
authentication server.
n The identity information in the server certificate may be displayed during network authentication.
l One or more Device Certificates may be issued typically, one or two per provisioned device.
n The identity information in the device certificate uniquely identifies the device and the user that
provisioned the device.
You do not need to manually create the profile signing certificate; it is created when it is needed See
"Configuring Provisioning Settings for iOS and OS X Profiles" on page 221 to control the contents of this
certificate.
You may revoke the profile signing certificate. It will be recreated when it is needed for the next device
provisioning attempt.
Certificate Configuration in a Cluster
When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM
server certificates for the cluster. This allows the verified” message in iOS and lets you verify that the CPPM
server certificate is valid during EAP-PEAP or EAP-TLS authentication.
In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node.
Each CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default
configuration, these are self-signed certificates—that is, they are not issued by a root CA. This configuration of
multiple self-signed certificates will not work for Onboard: Although a single self-signed certificate can be
trusted, multiple self-signed certificates are not.
There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:
l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the
certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the
cluster, and can perform secure EAP authentication from a provisioned device to any node in the cluster.
l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at
the top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard.
Provisioning and authentication will then work across the entire cluster.
Revoking Unique Device Credentials
Because each provisioned device uses unique credentials to access the network, it is possible to disable
network access for an individual device. This offers a greater degree of control than traditional user-based
authentication disabling a user’s account would impact all devices using those credentials.
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See "Working
with Certificates in the List" on page 126.
Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not
support this capability.
Revoking Credentials to Prevent Network Access
Revoking a device's certificate will cause the device to be unable to authenticate. It will not prevent it from being re-
Dell Networking W-ClearPass Guest 6.5.0 | User Guide Onboard | 91