ClearPass BYOD : Basics to implement ClearPass + Airwatch + ADCS for EAP-TLS

Active Directory Certificate Services


Active Directory Certificate Services (ADCS) provides customizable services for issuing and managing public key certificates used in software security systems that employ public key technologies.


Following link explains the features and installation of ADCS


Airwatch Mobile Device Management


AirWatch is a Mobile Device Management (MDM) service that will allow us to provide better security for smartphones, tablets and most mobile devices that will connect to the WUSM-Secure WiFi network. Airwatch has been selected as the enterprise solution to manage mobile devices. It will allow WUSM to provide better security for smartphones, tablets and most mobile devices using a mobile operating system that will connect to the WUSM-Secure WiFi network. In addition, AirWatch will help WUSM comply with federal and state regulations. The Encryption Subcommittee chaired by the FPP Board recommended an enterprise solution to provide consistent and timely reporting for compliance.


Simple Certificate Enrollment Protocol


Simple Certificate Enrollment Protocol (SCEP) is a protocol used for enrollment and other Public Key Infrastructure (PKI) operations.

Following link explains SCEP:

The EAP-TLS Authentication Protocol


The Extensible Authentication Protocol (EAP), defined in RFC 3748,  provides support for multiple authentication methods.  Transport Layer Security (TLS) provides for mutual authentication, integrity-protected cipher suite negotiation, and key exchange between two endpoints.  .


The following link explains EAP-TLS:





  • By now we would assume that the ADCS integration with Airwatch is done .
  • The Client would have a Airwatch agent that would be able to pull the configuration related to the device from Airwatch
  • Client Creates a CSR and forwards to the Airwatch , which in turn reaches out to ADCS to get it signed.
  • The MI pushes this certificate along with the BYOD SSID profile on the Client devices.
  • The Device connects to BYOD SSID performing EAP-TLS authentication.
  • The integration with ClearPass and Airwatch we would be able to fetch the required attributes and assign appropriate policy.




Step 1: Active Directory Certificate Services installation

The following link explains this



Step2: Integration of Airwatch with ADCS using SCEP and push the client certificates and Wireless profile on the clients

Below link explains this



Step 3: Configure the wireless controller to Broadcast the SSID with EAP-TLS


Step 4: Configure a service, roles, required enforcement profiles on ClearPass.


Hope this was helpful ! Cheers !

Sushanth M


Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts

Wireless Survey

Table of contents: The document covers what is a wireless survey, why wireless survey, the