05-04-2015 03:02 PM
Gang, I need a server cert so windows machines can access the SSID to onboard. I believe it needs to be a SAN cert according to your cert 101 paper. If its 3rd party, does it need to be a registered domain? All the san entries are for a non-registered domain. Ideas?
Solved! Go to Solution.
05-04-2015 04:19 PM
Keep in mind that the RADIUS server certificate for 802.1X does not have to be a real DNS name.
You could do auth.public-domain.com even though that may not exist in DNS. It is simply presented to the user to verify the server's identity.
The other option is to use a private cert and distribute the CA cert to clients.
05-04-2015 04:25 PM
Wildcard certificates should not be used as a RADIUS server certificate but can be used on the web side.
05-04-2015 04:31 PM
Ok one last question and Im out-of-your-hair. Yes this is for 802.1x windows server validation only. I will request 1 cert from my 3rd party CA. What should be in the subject line, meaning, I dont want to specify my CPPM hostname or I wont be able to use it on both CPPM servers right?
I dont have a VIP, just 2 CPPM Nas. Do I need a different cert for both and both will have the each CPPM hostname in cert subject/CN?
05-04-2015 05:14 PM
If you want a server for 802.1x only, it should have the hostname of the server that it is on, period. You would mainly get involved with SANs when you want to have webauth and have multiple servers trusted as the same server. You don't have that issue with 802.1x. The name should be the hostname of the server.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
05-04-2015 05:53 PM
- If you're using a certificate for both the web interface and RADIUS, you will need a multi-domain / UCC certificate with the real DNS name of the VIP as the common name and the server DNS names as the SAN
- If you're using separate certificates for the web interface and RADIUS, the web server certificate will need the real DNS names of the servers and VIP, while the RADIUS server can be any FQDN.
05-05-2015 08:59 PM - edited 05-05-2015 09:01 PM
Guys, so i created a 3rd party cert for the 2 CPPM servers. The servers are server.internaldomain.local. But I generated the certs as server.externaldomain.com becouse the 3rd party CA wont create certs for non-registered domains. No when non-domain windows systems connect to the SSID they get the below error. Any advice on how to resolve this?