Security

Greetings

I am setting up CPPM for our enviornment with the following configuration

one requirement is to support PEAP clients and well as onboarded clients on the same SSID

CPPM version 6.3

dns:

cppmd1                   IN      A       10.200.1.100

cppmd2                   IN      A       10.200.1.101

cppmd3                   IN      A       10.200.2.100

site1clearpass        IN      A       10.200.1.102

site2clearpass        IN      CNAME   cppmd3.ourdomain.com.

cppm1                     IN      A       10.100.1.100

cppm2                     IN      A       10.100.1.101

cppm3                     IN      A       10.100.2.100

Campus 1:

Publisher

cppm1.ourdomain.com

mgmt interface 10.100.1.100/24

data interface   10.200.1.100/24

VIP interface    10.200.1.102/24

Subscriber1:

cppm2.ourdomain.com

mgmt interface 10.100.1.101/24

data interface   10.200.1.101/24

VIP interface    10.200.1.102/24

Campus2:

Subscriber2:

cppm3.ourdomain.com

mgmt interface 10.100.2.100/24

data interface   10.200.2.100/24

Our requirements:

Create certs to be used for ssl and radius authentication for peap

and use internal CA for onboarding and assigning certificates

Server1 cert publisher

Server1 FQDN:site1clearpass.ourdomain.com

CN:site1clearpass.ourdomain.com

SAN= DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com,DNS:site1clearpass.ourdomain.com

,DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com

Server2 cert Subscriber

Server2 FQDN:site1clearpass.ourdomain.com

CN:site1clearpass.ourdomain.com

SAN= DNS:cppm2.ourdomain.com,DNS:cppmd2.ourdomain.com,DNS:site1clearpass.ourdomain.com

,DNS:cppm1.ourdomain.com,DNS:cppmd1.ourdomain.com

questions I have

does the VIP domain name site1clearpass.ourdomain.com have to be included in the SAN?

can I just use the cert for server1 for both server1 and server2?

does the order matter

does this config make sense for a cluster that has both mgt and data interfaces using a VIP

Server3 cert Subscriber

Server3 FQDN:site2clearpass.ourdomain.com

CN:site2clearpass.ourdomain.com

SAN= DNS:cppm3.ourdomain.com,DNS:cppmd3.ourdomain.com,DNS:site2clearpass.ourdomain.com

Do I need to add the server IP info in the SAN or will domain names be enough?

Cheers

P

Feel free to download the CPPM Certificates 101 Technote here:  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/7961/Default.aspx

It will have the answers to a number of your questions.

Many thanks for taking the time to document your requirements so carefully. I wanted to ask if after reading my TechNote that Colin pointed you at you had any outstanding questions?

Also here my take on your questions regardless :)

YES you can use the same cert on the PUB and the SUB in site1. 

Re the SAN field add EVERYTHING and MORE..... reason is if you need to go back and re-issue the server cert because you decided to get a new SUB for site1, what a pain.... so think carfully about how you build you CSR.... add the IP@ as well....

Hi Dannyjump

It is the document I have been searching for.It is extremely helpful.

Many Thanks

P

It seems the game has changed for internal IPs

https://www.digicert.com/internal-names.htm