Manualshelf

Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
71727374757677787980
74 | Onboard Dell Networking W- ClearPass Guest 6.1 | Deployment Guide
l The Profile Signing Certificate is used to digitally sign configuration profiles that are sent to iOS devices.
n The identity information in the profile signing certificate is displayed during device provisioning.
l One or more Server Certificates may be issued for various reasons typically, for an enterprise’s authentication
server.
n The identity information in the server certificate may be displayed during network authentication.
l One or more Device Certificates may be issued typically, one or two per provisioned device.
n The identity information in the device certificate uniquely identifies the device and the user that provisioned
the device.
You do not need to manually create the profile signing certificate; it is created when it is needed See "Configuring
Provisioning Settings for iOS and OS X" on page 137 to control the contents of this certificate.
You may revoke the profile signing certificate; it will be recreated when it is needed for the next device provisioning
attempt.
Certificate Configuration in a Cluster
When you use Onboard in a cluster, you must use one common root certificate authority (CA) to issue all CPPM
server certificates for the cluster. This allows the verified” message in iOS and lets you verify that the CPPM server
certificate is valid during EAP-PEAP or EAP-TLS authentication.
In a cluster of CPPM servers, devices can be onboarded through any node or authenticated through any node. Each
CPPM server has a different certificate, used for both SSL and RADIUS server identity. In the default configuration,
these are self-signed certificates—that is, they are not issued by a root CA. This configuration of multiple self-signed
certificates will not work for Onboard: Although a single self-signed certificate can be trusted, multiple self-signed
certificates are not.
There are two ways to configure a common root CA to issue all the CPPM server certificates for a cluster:
l Use the Onboard certificate authority. Create a certificate signing request on each CPPM node, sign the
certificates using Onboard, and install them in CPPM. You can then onboard devices on any node in the cluster,
and can perform secure EAP authentication from a provisioned device to any node in the cluster.
l Use a commercial certificate authority to issue CPPM server certificates. Verify that the same root CA is at the
top of the trust chain for every server certificate, and that it is the trusted root certificate for Onboard.
Provisioning and authentication will then work across the entire cluster.
Revoking Unique Device Credentials
Because each provisioned device uses unique credentials to access the network, it is possible to disable network
access for an individual device. This offers a greater degree of control than traditional user-based authentication
disabling a user’s account would impact all devices using those credentials.
To disable network access for a device, revoke the TLS client certificate provisioned to the device. See "Working
with Certificates in the List " on page 101.
NOTE: Revoking access for a device is only possible when using an enterprise network. Personal (PSK) networks do not support this
capability.
Revoking Credentials to Prevent Network Access
NOTE: Revoking a device's certificate will also prevent the device from being re-provisioned.