Can NAC push certificate to device

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi All

Can the NAC push a certificate to a device, to use for authentication?

Thx
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,214 Points 5k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,640 Points 5k badge 2x thumb
Is this a new appliance being added, or a replacement one?
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,214 Points 5k badge 2x thumb
Hi Mike, not sure on your question.
This a a new NAC appliance that is being deployed.

The client would like to use EAP TLS with Certificates to authentication.
For windows Laptops, I can join the domain on the LAN and have the authentication Certificate pushed/installed on the laptop from a group policy that applies to the Laptop.

The problem occurs with the Mobile devices, when they connect to the Wireless they do not have the Authentication Cert installed and also does not trust the CA.
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,640 Points 5k badge 2x thumb
Thanks Andre,
So I am uncertain, is there an existing NAC that had a certificate on it, or is this a new install?
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,214 Points 5k badge 2x thumb
This will be a new installation
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,640 Points 5k badge 2x thumb
Okay, A replaced NAC could have the certificate enforced down to the device, but a new NAC will need to go through the process outlined in this document to install the certificates on a per-nac basis. Since your using 802.1x, you will need to go through the CSR process as well.

https://gtacknowledge.extremenetworks.com/articles/How_To/How-To-Update-NAC-Internal-Communications-...
Photo of James A

James A, Embassador

  • 6,962 Points 5k badge 2x thumb
I think Andre is asking about client devices, not NAC devices managed by EMC. The answer is no, you'll need a third-party product like CloudPath, SecureW2 or an MDM that supports SCEP to push out a profile with the RADIUS cert and request a client cert.
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,214 Points 5k badge 2x thumb
Hi James

Thank you, yes my questions was related to the client device certificate.

Thx
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,322 Points 5k badge 2x thumb
NAC does not have the ability to install certificates or provision 802.1x supplicants with the correct authentication configuration on end systems.

Thanks
-Ryan