CloudPath - manually generate & deploy device certificate

  • 1
  • Question
  • Updated 4 months ago
  • Answered
Hi,
Not sure if this is possible.
We have Ruckus vSZ with Cloudpath for on-boarding wireless devices. At the moment all BYOD users goes through the Cloudpath onboarding url >> enter their AD domain credentials which launches the NetworkWizardLoader-xxxx.exe and connects the user to the relevant SSID.

We have few non-domain/Intune managed devices shared by multiple users and would like to connect them to the wireless using the device based certificate. Is there a way on Cloudpath to generate\export the certificate manually which I can install it on the devices so that it connects automatically to the wireless ?

Or please advise of there is a better solution.

Any help on this would be much appreciated, thank you.
Photo of Bicky Budha

Bicky Budha

  • 10 Posts
  • 0 Reply Likes

Posted 4 months ago

  • 1
Photo of Alex Sharaz

Alex Sharaz

  • 11 Posts
  • 4 Reply Likes
Yup if you log in as admin you can generate a cert from a certificate template and then download  whatever format of file you need
Photo of Liliia

Liliia

  • 20 Posts
  • 2 Reply Likes
Yes you can install the cert and bind it to the device (user) certificate, Bicky.
BUT I do not think that you can export the certificate, generated by CP. You can create an account (onboard user) in internal Cloudpath database. Use credentials from Authentication Servers and  device is good to go for auto connection inn future.
Photo of Brett Nelson

Brett Nelson, Employee

  • 7 Posts
  • 4 Reply Likes
Liliia, the post from Alex above is correct.  
Photo of Liliia

Liliia

  • 20 Posts
  • 2 Reply Likes
Thanks for follow up Brett! Nice to know you are with us. I learnt something new today:)
(Edited)
Photo of Bicky Budha

Bicky Budha

  • 10 Posts
  • 0 Reply Likes
thank you, Is there a help guide or knowledge-base article somewhere I can follow ?
Photo of Brett Nelson

Brett Nelson, Employee

  • 7 Posts
  • 4 Reply Likes
Here are a couple of screenshots to illustrate... If you need further assistance with this, please open a ticket with Ruckus Support.
Photo of Bicky Budha

Bicky Budha

  • 10 Posts
  • 0 Reply Likes
thank you Brett, If i generate a certificate based on the existing BYOD  template we use here,  use one of the AD account on Username field, can I apply the same certificate to multiple devices ?
Photo of Alex Sharaz

Alex Sharaz

  • 11 Posts
  • 4 Reply Likes
Well, you'd use the same template but not the same cert you 'd generate a different cert for each entered username
Photo of Brett Nelson

Brett Nelson, Employee

  • 7 Posts
  • 4 Reply Likes
You could apply the same cert to different devices, but you would then not be able to uniquely distinguish them.  It is not required that you use an AD account user for the Username field.  That just establishes the username as part of the certificate's common name.  When challenging users in a workflow using an AD authentication server, that is merely authorizing the user to be issued a cert... and that is the extent of AD's role.  Subsequent connections are authenticated with the cert, and not AD at all. (in EAP-TLS use case, anyway...)
(Edited)
Photo of Alex Sharaz

Alex Sharaz

  • 11 Posts
  • 4 Reply Likes
Would never consider using the same client cert on multiple machines. If you revoke it or it expires ... everything dies ...thats a lot of pain as the number of people using the same cert increases
Photo of Brett Nelson

Brett Nelson, Employee

  • 7 Posts
  • 4 Reply Likes
Agree 100%
Photo of Alex Sharaz

Alex Sharaz

  • 11 Posts
  • 4 Reply Likes
And another no-no is assigning certs owned by a user to headless devices  .. so that when you delete that user from cloudpath all the certs owned by them get are deleted ... and all your headless devices stop working ...
Photo of Bicky Budha

Bicky Budha

  • 10 Posts
  • 0 Reply Likes
thank yo Alex.
We have bulk laptops that are shared by multiple students, is there a solution for this ?
or the only way is to join them to the domain and push EATP-TLS/Certificate via GPO.