Higher Education

Question regarding which hostanme should i register with CA. 

 

Example 

 

Server 1

wifi1.wireless.com

 

server 2

wifi2.wireless.com

 

VIP

wifi.wireless.com = 137.52.x.x. 

 

Should i register the hostanme of each server so each server have it own private keys? Or would register the VIP hostname be enough? 

 

When wireless clients do EAP-PEAP would they be presented with the server certificate or the VIP? 

 

Thank you

Nils 

 

You can do a single certificate with:

 

CN = wifi.wireless.com 

SAN = DNS:wifi.wireless.com,DNS:wifi1.wireless.com,DNS:wifi2.wireless.com

 

You can then import the certificate and key to both servers.

Thank you!

cappalli

 

Do you need to include the ip adress in the subject alternative name field? 

You can't include a private IP in a public certificate anymore.

When i am trying to generate the request. I am receiving the following message: 

 

Subject Alternate Name must start with either email, URI, DNS, RID or IP, followed by a : (e.g., IP:192.168.1.2)

 

When using the format:

 

CN: clearpass.nova.edu

SAN: dns=clearpass.nova.edu&dns=clearpass1.nu.nova.edu&dns=clearpass.nu.nova.edu

It should be DNS: (DNS colon, not equals) and then commas after each entry.

It doesnt work with dns formart:

 

dns:clearpass.nova.edu,dns:clearpass1.nunet.nova.edu,dns:clearpass.nunet.nova.edu

 

But works with the IP format:

IP:137.52.x.x,IP:137.52.x.x,IP:137.52.x.x

 

Any ideas for the dns format? 

DNS:

not dns:

Case matters.

---

@nilslau03 wrote:

It doesnt work with dns formart:

 

dns:clearpass.nova.edu,dns:clearpass1.nunet.nova.edu,dns:clearpass.nunet.nova.edu

 

But works with the IP format:

IP:137.52.x.x,IP:137.52.x.x,IP:137.52.x.x

 

Any ideas for the dns format? 

---

 

That's right! 

 

It worked. Thank you!!

Hi all,

i will be very grateful for the help.
I also have two servers clearpass: ip1: 10.0.0.1, ip2:10.0.02, ip-VIP:10.0.0.3
In the controller i set radius server IP: 10.0.0.3
what should point out  in radius certeficate fields CN and SAN ?
Can  i simply set CN 10.0.0.3 and use same certificate in both CleaPass servers?

I need to have successfully connected win7-8 devices with enabled "verify server certificate" option by default.

 

The common name and first SAN entry should be the DNS Name of the VIP.



The second and third SAN entry should be the individual server DNS names.

But in this situation, how clients will find that provided certificate really belongs to this radius server?
After all, neither the controller nor the customers do not know the FQDN of radius server.
Or clients do not make such check?

Now I have installed the certificate with these fields:

CN  clearpass-cluster
SAN   IP:10.0.0.1,IP:10.0.0.2,IP:10.0.0.3,DNS:name1.org,DNS:name2.org,DNS:cluster-name.org

 

And win7-8 clients can't connect until you remove the option "Validate server certificate".

User's will generally recognize the domain name and click accept. Your other
options are using QuickConnect to configure the clients, group
policy/profile manager if the devices are in your control, or Onboarding.



The client needs to configured to the trust the CN and issuing CA of the
certificate.