Greetings
I am setting up CPPM for our enviornment with the following configuration
one requirement is to support PEAP clients and well as onboarded clients on the same SSID
CPPM version 6.3
dns:
cppmd1 IN A 10.200.1.100
cppmd2 IN A 10.200.1.101
cppmd3 IN A 10.200.2.100
site1clearpass IN A 10.200.1.102
site2clearpass IN CNAME cppmd3.ourdomain.com.
cppm1 IN A 10.100.1.100
cppm2 IN A 10.100.1.101
cppm3 IN A 10.100.2.100
Campus 1:
Publisher
cppm1.ourdomain.com
mgmt interface 10.100.1.100/24
data interface 10.200.1.100/24
VIP interface 10.200.1.102/24
Subscriber1:
cppm2.ourdomain.com
mgmt interface 10.100.1.101/24
data interface 10.200.1.101/24
VIP interface 10.200.1.102/24
Campus2:
Subscriber2:
cppm3.ourdomain.com
mgmt interface 10.100.2.100/24
data interface 10.200.2.100/24
Our requirements:
Create certs to be used for ssl and radius authentication for peap
and use internal CA for onboarding and assigning certificates
Server1 cert publisher
Server1 FQDN:site1clearpass.ourdomain.com
CN:site1clearpass.ourdomain.com
SAN= DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com,DNS:site1clearpass.ourdomain.com
,DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com
Server2 cert Subscriber
Server2 FQDN:site1clearpass.ourdomain.com
CN:site1clearpass.ourdomain.com
SAN= DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com,DNS:site1clearpass.ourdomain.com
,DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com
questions I have
does the VIP domain name site1clearpass.ourdomain.com have to be included in the SAN?
can I just use the cert for server1 for both server1 and server2?
does the order matter
does this config make sense for a cluster that has both mgt and data interfaces using a VIP
Server3 cert Subscriber
Server3 FQDN:site2clearpass.ourdomain.com
CN:site2clearpass.ourdomain.com
SAN= DNS:cppm3.ourdomain.com,DNS:cppmd3.ourdomain.com,DNS:site2clearpass.ourdomain.com
Do I need to add the server IP info in the SAN or will domain names be enough?
Cheers
P
#6.3