Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

211

212

213

214

215

216

217

218

219

220

Field Description

default. If additional certificate authorities are created, they are included in this drop-

down list (see "Creating a New Certificate Authority" on page 94).

Signer

(Required) Select the source to use for signing TLS client certificates. Options include

Onboard Certificate Authority and Active Directory Certificate Services (ADCS). If

Active Directory Certificate Services is chosen, the ADCS URL and ADCS Template

rows are added to the form. ACDS can only be used with certificate-based

authentication; it cannot be used with username/password authentication.

ADCS URL

(Required) If Active Directory Certificate Services was chosen in the Signer field,

enter the URL of the ADCS server in the field. This URL should be the Web interface

for ADCS, and is typically http://<server>/certsrv/.

ADCS Template

(Required) If Active Directory Certificate Services was chosen in the Signer field,

enter the name of the template to use when requesting the certificate. If the name is

not known, you can use the default name of "user".

Key Type

(Required) Specifies the type of private key that should be created when issuing a

new certificate. You can select one of these options:

l 1024-bit RSA – created by server: Lower security.

l 1024-bit RSA – created by device: Lower security. Uses SCEP to provision the

EAP-TLS certificate.

l 2048-bit RSA – created by server: Recommended for general use.

l 2048-bit RSA – created by device: Recommended for general use. Uses SCEP to

provision the EAP-TLS certificate.

l 4096-bit RSA – created by server: Higher security.

l X9.62/SECG curve over a 256 bit prime field - created by server

l NIST/SECG curve over a 384 bit prime field - created by server

See Note below this table.

Unique Device Credentials Includes the username as a prefix in the device's PEAP credentials.

Using a private key containing more bits will increase security, but will also increase the processing time required to

create the certificate and authenticate the device. The additional processing required will also affect the battery life of a

mobile device. It is recommended to use the smallest private key size that is feasible for your organization. The “created

by device” options use SCEP to provision the EAP-TLS device certificate, so the private key is known only to the device

rather than also known by the user. When a “created by device” option is selected, the generated key is used instead of

a username/password authentication defined in Network Settings.

Field Description

Authorization Method Authorization method for devices. Options include App Auth and RADIUS.

Configuration Profile

Configuration profile to provision to devices. All configuration profiles that have been

created are included in this list. A configuration profile specifies an application set,

Exchange ActiveSync settings, network settings, passcode policy, VPN, and other

settings. For more information, see "Onboard/MDM Configuration" on page 141.

Maximum Devices

Enter a number to limit the maximum number of devices that each user may

provision. To be enrolled, a device must have a currently valid certificate, and its

status set to Allowed (at Onboard + WorkSpace > Management and Control > View

by Device).

Unique Device Credentials Adds the username as a prefix to the device's PEAP credentials.

Table 33:

Device Provisioning Settings, General Tab, Authorization Area

Dell Networking W-ClearPass Guest 6.3 | User Guide Onboard + WorkSpace | 215