Security

Reply
Occasional Contributor II

CPPM 6.3 certificates, ssl, radius, onboard

Greetings

 

I am setting up CPPM for our enviornment with the following configuration

one requirement is to support PEAP clients and well as onboarded clients on the same SSID

 

CPPM version 6.3

dns:

cppmd1                   IN      A       10.200.1.100

cppmd2                   IN      A       10.200.1.101

cppmd3                   IN      A       10.200.2.100

site1clearpass        IN      A       10.200.1.102

site2clearpass        IN      CNAME   cppmd3.ourdomain.com.

cppm1                     IN      A       10.100.1.100

cppm2                     IN      A       10.100.1.101

cppm3                     IN      A       10.100.2.100

 

 

Campus 1:

Publisher

cppm1.ourdomain.com

mgmt interface 10.100.1.100/24

data interface   10.200.1.100/24

VIP interface    10.200.1.102/24

 

Subscriber1:

cppm2.ourdomain.com

mgmt interface 10.100.1.101/24

data interface   10.200.1.101/24

VIP interface    10.200.1.102/24

 

Campus2:

Subscriber2:

cppm3.ourdomain.com

mgmt interface 10.100.2.100/24

data interface   10.200.2.100/24

 

Our requirements:

Create certs to be used for ssl and radius authentication for peap

and use internal CA for onboarding and assigning certificates

 

Server1 cert publisher

Server1 FQDN:site1clearpass.ourdomain.com

CN:site1clearpass.ourdomain.com

SAN= DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com,DNS:site1clearpass.ourdomain.com

,DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com

 

Server2 cert Subscriber

Server2 FQDN:site1clearpass.ourdomain.com

CN:site1clearpass.ourdomain.com

SAN= DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com,DNS:site1clearpass.ourdomain.com

,DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com

 

questions I have

does the VIP domain name site1clearpass.ourdomain.com have to be included in the SAN?

can I just use the cert for server1 for both server1 and server2?

does the order matter

does this config make sense for a cluster that has both mgt and data interfaces using a VIP

 

Server3 cert Subscriber

Server3 FQDN:site2clearpass.ourdomain.com

CN:site2clearpass.ourdomain.com

SAN= DNS:cppm3.ourdomain.com,DNS:cppmd3.ourdomain.com,DNS:site2clearpass.ourdomain.com

 

Do I need to add the server IP info in the SAN or will domain names be enough?

 

Cheers

P

Guru Elite

Re: CPPM 6.3 certificates, ssl, radius, onboard

Feel free to download the CPPM Certificates 101 Technote here:  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

 

It will have the answers to a number of your questions.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator

Re: CPPM 6.3 certificates, ssl, radius, onboard

Many thanks for taking the time to document your requirements so carefully. I wanted to ask if after reading my TechNote that Colin pointed you at you had any outstanding questions?

 

Also here my take on your questions regardless :)

 

YES you can use the same cert on the PUB and the SUB in site1. 

 

Re the SAN field add EVERYTHING and MORE..... reason is if you need to go back and re-issue the server cert because you decided to get a new SUB for site1, what a pain.... so think carfully about how you build you CSR.... add the IP@ as well....

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 certificates, ssl, radius, onboard

Hi Dannyjump

 

It is the document I have been searching for.It is extremely helpful.

 

Many Thanks

 

P

Occasional Contributor II

Re: CPPM 6.3 certificates, ssl, radius, onboard

It seems the game has changed for internal IPs

 

https://www.digicert.com/internal-names.htm

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: