Joe Neville Appreciate that, great content perfectly condensed!

@@ulis1821 Thanks, glad you think so.

Thanks and good point. This isn't the only way to achieve these things, it was a lab I wanted to build for some other work and I recorded the process.

Right, but in real life you need an Onboard lic for every client, so M$-CA is a more reasonable solution.

@@ulis1821 Sure but keep in mind the license evolved from Unique device to USER now.

And I shall quote this as well for the tricky clever folks. "The intentional onboarding of large numbers of devices by a single user to avoid purchasing Onboard licenses is a violation of the End-User Software License Agreement."

@@null_zero Yep I appreciate the video as the resources for a Windows CA deployment is scarce. Definitely saved.

I made the video based off a home lab build and was trying to work out user and machine cert deploy around that time. I just left in the extra details in case someone found them useful.

Yes, just swap out the relevant infra'. Windows server setup is the same.

@@AirheadsBroadcasting I have configured and successfully connected to the network using domain username and password. but i cannot enroll the certificate like on 25:00 , it shows that the template was unavailable

@@greatescape121 That can be a bit tricky because you need to check multiple factors are configured correctly. Firstly, I would go to the Wins CA server tool and see if there are 'Failed Requests'. There might be details there. If not it is a case of checking off all of the steps. Look at AD Users and Computers. Check the user account that you are trying to auto enroll with. Does it have an email address? Ensure that it does. Check the security groups / admin privs of that account. Next look at the certificate template security settings and ensure the template covers the security group of your test user. Ensure that the template Security setting allow 'Read, Enroll & Auto-Enroll'. If you are issuing client certs then picking 'Authenticated Users' is the group with the widest coverage. Other factors can be that you need to push the group-policy (or wait for it to update), that's 'gpupdate /force' on the DC. Finally, always ensure you are completely logging the user in and out, not just 'lock screen' or 'switch user'.

@@null_zero Hi Joe, now i'm able to see certificate on MMC. i tried to allow 'Read, Enroll & Auto-Enroll' for authenticated user. Thanks for your help! now i will try to do it with Mac Users & Computers.

@@greatescape121 Good stuff. If you want to lessen the scope, you can just apply those security settings to the user group of your choice and put your desired users in that group i.e. it doesn't have to be all authenticated users for it to work. The main sticking point I encountered was users needing to have email addresses.

You should not use ClearPass 6.6, it is old. I think if you register on the Aruba Support Portal (asp.arubanetworks.com) you can request an evaluation license for ClearPass, and as well download the latest version (6.9). If that doesn't work, find your local Aruba SE and ask him or her for a ClearPass evaluation.

Already solved! Has to be requested to Aruba.

Hi Chris, it has been a while since I last did this, but the user certs use email address, I believe. I haven't got a AD domain running in my lab at the moment to check details though, I'm afraid.

@@null_zero Thanks Joe. I've got this all set up in my lab now and it's working. Your video was extremely helpful. There was one little thing that didn't work the way you showed. When you added the certificates snap-in to mmc, mine didn't show users or computers. That dialog never came up and it just installed the snap-in for user certs. Not a big deal as I could see that the computer cert was issued from the server. Again thanks for the help.

@@chrisyoung8062 Bit late, but I'm building a new home lab, and experienced the same (mmc didn't show computer certs) - this is the type of user you are logging in as. If you are an administrator, or user copied from the administrator account, you'll get the option for user or computer. The note here confirms this 👉 learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-the-mmc-snap-in

What are you looking for? What is configured in this video is in the description, and this video on most useful if you are looking how to setup EAP-TLS with Active Directory, Group Policies, Aruba ClearPass.

That means that you will need to renew your radius certificate as it will expire. ClearPass requires a valid Radius certificate or authentications from your clients will fail. If you don't know how to do this, I would reach out to your Aruba partner or Aruba support as it is not too hard, but it has to be done in the right way depending on your current certificate (public, private, self-signed). You could also try to seek assistance on the Airheads community community.arubanetworks.com. I expect similar advice to work with your partner or support if you don't know what to do there, but you might get a better discussion than below a KZbin video.

Or x2 it for the full effect. The long form videos are on my own channel. This is the super-edit.

@@null_zero Didn't realize you had a channel. Just sub'd.