Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Certificates

This thread has been viewed 5 times

  • 1.  CPPM Certificates

    Posted Aug 06, 2018 04:15 PM

    Hi,

     

    Just wanted to check with you guys about CPPM cluster deployments.

    I have read the CPPM Certificates document and still not sure so hence why I am creating this post.

     

    So I will have two servers deployed as a publisher and subscriber pair, which are in the same subnet and they have a VIP between them. I will have two SSIDS, one will be DOTX and a Guest.

     

    For the Radius server cert I will get the VIP to resolve to the CN name by putting a DNS entry. The certificate will be an internal cert for this. This is fine I am happy with this.

     

    For the guest certificate (HTTPS) they will have a public certificate, and will have a separate certificate on the controller side. What should the CN name be and should this be resolvable? Should there be an ALIASE put in for this? Do I need to create another VIP on the guest network? What is the best practice configuration in terms of certificates when you have a DOTX and guest SSID going through Clearpass?

     

    Can you also confirm what the behaviour would be if the same cert was used for CPPM guest and the wireless controller? What would be the client behaviour?

     

    Thanks



  • 2.  RE: CPPM Certificates
    Best Answer

    EMPLOYEE
    Posted Aug 06, 2018 04:21 PM
    - The EAP server certificate does not need to match an FQDN.
    - Do not use the same web server certificate on ClearPass and the controller.
    -- For ClearPass, the web server certificate should contain the FQDNs for the VIP and individual nodes (VIP as CN, VIP + nodes as SubjectAltNames). This should always be a public CA-signed certificate.
    -- For the controller’s captive portal certificate, the common name should be something generic and user friendly (like network-login.yourdomain.com) and should not be defined in DNS. This should always be a public CA-signed certificate.


  • 3.  RE: CPPM Certificates

    Posted Aug 10, 2018 11:14 AM

    Thank you for your reply. Sorry for the late response,

    Seems like I have been doing it incorrectly so far. 

     

    Just need clarification on this:
    "Do not use the same web server certificate on ClearPass and the controller."

     

    Can you please explain what will be the client behaviour if the same cert is used? Just want to make sure I can explain this to my customer so he knows it is essential that a different cert for his HP MSM controllers. 



  • 4.  RE: CPPM Certificates

    EMPLOYEE
    Posted Aug 10, 2018 11:17 AM
    1) the controller intercepts the CN
    2) it's poor security practice


  • 5.  RE: CPPM Certificates

    Posted Aug 10, 2018 11:20 AM

    Thanks for the confirmation.