Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Contributor II
Posts: 140
Registered: ‎01-04-2012
Radius Certificate for ClearPass with VIP

Question regarding which hostanme should i register with CA. 

 

Example 

 

Server 1

wifi1.wireless.com

 

server 2

wifi2.wireless.com

 

VIP

wifi.wireless.com = 137.52.x.x. 

 

Should i register the hostanme of each server so each server have it own private keys? Or would register the VIP hostname be enough? 

 

When wireless clients do EAP-PEAP would they be presented with the server certificate or the VIP? 

 

Thank you

Nils 

 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010
Re: Radius Certificate for ClearPass with VIP

You can do a single certificate with:

 

CN = wifi.wireless.com 

SAN = DNS:wifi.wireless.com,DNS:wifi1.wireless.com,DNS:wifi2.wireless.com

 

You can then import the certificate and key to both servers.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Radius Certificate for ClearPass with VIP

Thank you!

Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Radius Certificate for ClearPass with VIP

 

subject alternative name field? 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010
Re: Radius Certificate for ClearPass with VIP
You can't include a private IP in a public certificate anymore.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Radius Certificate for ClearPass with VIP

When i am trying to generate the request. I am receiving the following message: 

 

Subject Alternate Name must start with either email, URI, DNS, RID or IP, followed by a : (e.g., IP:192.168.1.2)

 

When using the format:

 

CN: clearpass.nova.edu

SAN: dns=clearpass.nova.edu&dns=clearpass1.nu.nova.edu&dns=clearpass.nu.nova.edu

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010
Re: Radius Certificate for ClearPass with VIP
It should be DNS: (DNS colon, not equals) and then commas after each entry.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Radius Certificate for ClearPass with VIP

It doesnt work with dns formart:

 

dns:clearpass.nova.edu,dns:clearpass1.nunet.nova.edu,dns:clearpass.nunet.nova.edu

 

But works with the IP format:

IP:137.52.x.x,IP:137.52.x.x,IP:137.52.x.x

 

Any ideas for the dns format? 

Contributor II
Posts: 140
Registered: ‎05-12-2010
Re: Radius Certificate for ClearPass with VIP

DNS:

not dns:

Case matters.


nilslau03 wrote:

It doesnt work with dns formart:

 

dns:clearpass.nova.edu,dns:clearpass1.nunet.nova.edu,dns:clearpass.nunet.nova.edu

 

But works with the IP format:

IP:137.52.x.x,IP:137.52.x.x,IP:137.52.x.x

 

Any ideas for the dns format? 


 

Bruce Osborne - Wireless Engineer
ACCP
Contributor II
Posts: 140
Registered: ‎01-04-2012
Re: Radius Certificate for ClearPass with VIP

That's right! 

 

It worked. Thank you!!

Search Airheads
Showing results for 
Search instead for 
Did you mean: