User Experience Insight now supports Simple Certificate Enrollment Protocol (SCEP). This feature enables each sensor to request certificates for network authentication from a SCEP server. This greatly simplifies and automates the deployment and management of certificates.
This feature is configured in the User Experience Insight settings on a per-network basis, and all sensors testing that network will obtain their own individual certificates for client authentication using the SCEP settings defined for the network. The sensors then use these certificates to do EAP-TLS client authentication.
Before you can configure a network to obtain a client authentication certificate using SCEP, you must first define an Enrollment Network, which is the network (wired or wireless) over which the sensor will initially contact the SCEP server. You can create an Enrollment Network by going to Settings -> Networks and select Add. The Enrollment Network should not require a proxy.
After you have created an Enrollment Network, you can now create a network for the sensor to obtain client authentication certificates using SCEP by going to Settings -> Networks and select Add.
Note: The cryptographic settings need to align with the certificate template issued by the certificate authority in order for the sensor to authenticate successfully to the network using the obtained certificate for EAP-TLS. In addition the certificate authority should be configured to issue certificates without waiting for user approval. If you are mapping the sensors to accounts in Microsoft Active Directory, you must export the certificate from the CA and make use of name mappings in Active Directory.
In the Add Network menu, enter the following settings.
Network - Select the wireless network for SCEP (no selection to be made if creating a wired network)
Alias - (Optional) Specify an alternate network name for how it should be identified in the dashboard.
Auth Method: Certificate
Enrollment Method: SCEP
Enrollment Network: Select the enrollment network (wired or wireless).
SCEP Server URL: Specify the SCEP enrollment URL including scheme, path and program extension.
- Windows Server Example:
- Clearpass Example:
Common Name: (Optional) The main subject name that identifies the entity associated with the public key of the issued certificate. The sensor serial number will be used if this field is left blank. The Common Name should correspond to a user account on the EAP-TLS server for the sensor to successfully use the obtained certificate for EAP-TLS authentication.
Alternative Name: (Optional) X.509 extension that allows you to specify additional host names/domain names for a single certificate. The sensor serial number is used if this field is left blank.
Challenge Password: This is the SCEP challenge password provided by the PKI administrator.
Encryption Algorithm: Select from 3DES or AES-128. The encryption algorithm type is used to encrypt the Certificate Signing Request (CSR)
Signature Algorithm: Select from SHA-1, SHA-256, SHA-512. The signature algorithm type is the hash algorithm to use with RSA keys for signing the CSR and self-signed certificate
Digest Algorithm: Select from SHA-1, SHA-256, SHA-512. The digest algorithm type is the hash algorithm used to form the digest of the content envelope that goes into the SignedData CMS, and is also used to hash the signed data attributes for the signature. If not specified, the same algorithm as Signature Algorithm type will be used.
RSA Key Size: Select from 1024, 2048, 4096
CA Certificate: (Optional depending on if the SCEP server returns the complete CA certificate trust chain). Note the root CA is required for EAP-TLS and the intermediate certificate used for signing the SCEP cert needs to be obtained too. These can either all be uploaded, or some (usually the root certificate) uploaded and the signing cert for SCEP obtained by fetching it from the URL using the GetCACert operation. If nothing is uploaded, certs will be fetched from the URL and whatever is available will be used for EAP-TLS too, so if no root cert is uploaded the server needs to be configured to send down the full chain when requested.
Root CA Fingerprint: (Optional): Used to verify the identity of the root CA certificate.
The sensor will attempt to renew automatically. It will attempt to reach the SCEP server over the network configured for SCEP (not the enrollment network) so for renewal to be successful there must be a path to the SCEP server over the network itself.
The sensor will attempt renewal as soon as the date and time reaches halfway through the certificate’s validity period. So, if the certificate validity period is from 1 January 2021 to 31 December 2021, renewal will be attempted from end of June 2021. If you would like to specify the exact number of days before expiry for the sensor to attempt renewal, this can be requested through support. (e.g. 30 days before expiry, attempt renewal.)
If the challenge password configured in the SCEP network settings is still valid, the certificate will be renewed without any user intervention required. If the challenge password has expired, the sensor will attempt renewal but will fail and show an error on dashboard “Transaction either not permitted or supported during SCEP renewal’” with the detail that “password might be incorrect”. The user must update the challenge password in the SCEP network settings before the certificate expires, then the sensor will be able to renew the certificate automatically.
The password must be updated before the current certificate expires because renewal will no longer be attempted once the certificate has expired. The certificate expiration date for a SCEP network is displayed in the About section of the sensor settings page.
Does the SCEP server need to be available after the sensors have obtained certificates?
No. After the sensors have successfully obtained valid certificates, the sensors do not need to contact the SCEP server unless for renewal, or if the certificate is revoked or expired. The SCEP server must be reachable without a proxy.
When does the sensor request a new certificate?
The sensor will automatically attempt to request a new certificate as described in the Certificate renewal section. The sensor will request a new certificate over the network it is testing. If the attempt fails, you will see notifications on the dashboard.
If the certificate the sensor is using for EAP-TLS expires or is otherwise invalid, you can go to the sensor configuration page and remove the network from the sensor. After applying the settings, wait up to 15 minutes, then go to the sensor configuration page and add the network back to the sensor in order for it to enroll afresh. The sensor will then use the enrollment network to contact the SCEP server.
Are One-Time Passwords Supported?
If you are on-boarding multiple sensors at the same time, the SCEP challenge password should be the same for all sensors. A one-time password would still work, but would require you to frequently update the password in the network settings. Therefore, if you are onboarding multiple sensors at the same time this is not recommended.
Can the enrollment network be the same as the network to be tested?
Yes. For example, if you have a network that supports EAP-PEAP but prefers EAP-TLS and the SCEP server is reachable using EAP-PEAP, you would first create the EAP-PEAP network in the dashboard and use the alias function to name it. Then you can use this network as an enrollment network for the EAP-TLS network obtaining the certificate via SCEP.
Does the enrollment network count against the 4 network maximum the sensors can test?
No. Unless you want to test the enroll network by adding it to the sensor.
Can I use the same certificate obtained from SCEP for multiple networks such as wired and wireless?
No. The sensor will request separate certificates for each network.
How do I resolve an error message that says "802.1X failed with unknown CA"?
If you examine the triage menu and the output says "local TLS alert: Unknown CA", this likely indicates the CA you were issued a certificate from via SCEP does not have the same root CA as the RADIUS server. You can add the root CA certificate or certificate chain for the RADIUS server in the SCEP network settings under Advanced -> Specify Server CA.
If you examine the triage menu for an 802.1X error and the output says "remote TLS alert: Unknown CA" or the radius server says "fatal alert by server - unknown_ca", this likely indicates your RADIUS server does not trust certificates issued by the CA for the SCEP server. You must add your root certificate or certificate chain of/from your SCEP server to the trust list of the RADIUS server.
Which SCEP Servers are Supported?
We have verified SCEP against Microsoft Windows Server 2019, Microsoft Windows Server 2016 and Aruba Clearpass 6.8.5.
Microsoft Windows Server 2012 R2 is not supported.
Microsoft Network Device Enrollment Service Documentation https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx