User Experience Insight now supports Simple Certificate Enrolment Protocol (SCEP). This feature enables each sensor to request certificates for network authentication from a SCEP server. This greatly simplifies and automates the deployment and management of certificates.
This feature is configured in the User Experience Insight settings on a network basis, and all sensors testing that network will obtain certificates for client authentication using the SCEP settings defined for the network. The sensors then use these certificates to do EAP-TLS client authentication.
Before you can configure a network to obtain a client authentication certificate using SCEP, you must first define an Enroll Network, which is the network (wired or wireless) over which the sensor will initially contact the SCEP server. You can create an Enrollment Network by going to Settings -> Networks and select Add. The Enrollment Network should not require a proxy.
After you have created an Enrollment Network, you can now create a network for the sensor to obtain client authentication certificates using SCEP by going to Settings -> Networks and select Add.
Note: The cryptographic and settings need to align with the certificate template issued by the certificate authority in order for the sensor to successfully authenticate to the network using the obtained certificate for EAP-TLS. In addition the certificate authority should be configured to issue certificates without waiting for user approval.
In the Add Network menu, enter the following settings.
- Network - Select the wireless network for SCEP (no selection to be made if creating a wired network)
- Alias - (Optional) Specify an alternate network name for how it should be identified in the dashboard.
- Security: Enterprise
- Auth Method: Certificate
- Enrollment Method: SCEP
- Enroll Network: Select the enrollment network (wired or wireless).
- SCEP Server URL: Specify the SCEP enrollment URL including scheme, path and program extension.
- Windows Server Example:
- Clearpass Example:
- Common Name: (Optional) The main subject name that identifies the entity associated with the public key of the issued certificate. The sensor serial number is used if this field is blank. The Common Name should correspond to a user account on the EAP-TLS server for the sensor to successfully use the obtained certificate for EAP-TLS authentication.
- Alternative Name: (Optional) X.509 extension that allows you to specify additional host names/domain names for a single certificate. The sensor serial number is used if this field is blank.
- Challenge Password: This is the SCEP challenge password provided by the PKI administrator.
- Encryption Algorithm: Select from 3DES or AES-128. The encryption algorithm type is used to encrypt the Certificate Signing Request (CSR)
- Signature Algorithm: Select from SHA-1, SHA-256, SHA-512. The signature algorithm type is the hash algorithm to use with RSA keys for signing the CSR and self-signed certificate
- Digest Algorithm: Select from SHA-1, SHA-256, SHA-512. The digest algorithm type is the hash algorithm used to form the digest of the content envelope that goes into the SignedData CMS, and is also used to hash the signed data attributes for the signature. If not specified, the same algorithm as Signature Algorithm type will be used.
- RSA Key Size: Select from 1024, 2048, 4096
- CA Certificate: (Optional depending on if the SCEP server returns the complete CA certificate trust chain). Note the the root CA is required for EAP-TLS and the intermediate certificate used for signing the SCEP cert needs to be obtained too. These can either all be uploaded, or some (usually the root certificate) uploaded and the signing cert for SCEP obtained by fetching it from the URL using the GetCACert operation. If nothing is uploaded, certs will be fetched from the URL and whatever is available will be used for EAP-TLS too, so if no root cert is uploaded the server needs to be configured to send down the full chain when requested.
- Root CA Fingerprint: (Optional): Used to verify the identity of the root CA certificate.
Does the SCEP server need to be available after the sensors have obtained certificates?
No. After the sensors have successfully obtained valid certificates, the sensors do not need to contact the SCEP server unless the certificate is revoked, expired or needs to be renewed. In that case a new certificate needs to be requested via SCEP. The SCEP server must be reachable without a proxy.
Are One-Time Passwords Supported?
If you are on-boarding multiple sensors at the same time, the SCEP challenge password should be the same for all sensors. A one-time password is not recommended.
Can the enrollment network be the same as the network to be tested?
Yes. For example, if you have a network that supports EAP-PEAP but prefers EAP-TLS and the SCEP server is reachable using EAP-PEAP, you would first create the EAP-PEAP network in the dashboard and use the alias function to name it. Then you can use this network as an enrollment network for the EAP-TLS network obtaining the certificate via SCEP.
Does the enrollment network count against the 4 network maximum the sensors can test?
No. Unless you want to test the enrollment network by adding them to the sensor.
Can I use the same certificate obtained from SCEP for multiple networks such as wired and wireless?
No. The sensor will request separate certificates for each network.
We have verified SCEP against Microsoft Windows Server 2019, Microsoft Windows Server 2016 and Aruba Clearpass 6.8.5.
Microsoft Windows Server 2012 R2 is not supported.