Security

Reply
Contributor II

CPPM Certificates

Hi,

 

Just wanted to check with you guys about CPPM cluster deployments.

I have read the CPPM Certificates document and still not sure so hence why I am creating this post.

 

So I will have two servers deployed as a publisher and subscriber pair, which are in the same subnet and they have a VIP between them. I will have two SSIDS, one will be DOTX and a Guest.

 

For the Radius server cert I will get the VIP to resolve to the CN name by putting a DNS entry. The certificate will be an internal cert for this. This is fine I am happy with this.

 

For the guest certificate (HTTPS) they will have a public certificate, and will have a separate certificate on the controller side. What should the CN name be and should this be resolvable? Should there be an ALIASE put in for this? Do I need to create another VIP on the guest network? What is the best practice configuration in terms of certificates when you have a DOTX and guest SSID going through Clearpass?

 

Can you also confirm what the behaviour would be if the same cert was used for CPPM guest and the wireless controller? What would be the client behaviour?

 

Thanks

Guru Elite

Re: CPPM Certificates

- The EAP server certificate does not need to match an FQDN.
- Do not use the same web server certificate on ClearPass and the controller.
-- For ClearPass, the web server certificate should contain the FQDNs for the VIP and individual nodes (VIP as CN, VIP + nodes as SubjectAltNames). This should always be a public CA-signed certificate.
-- For the controller’s captive portal certificate, the common name should be something generic and user friendly (like network-login.yourdomain.com) and should not be defined in DNS. This should always be a public CA-signed certificate.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: CPPM Certificates

Thank you for your reply. Sorry for the late response,

Seems like I have been doing it incorrectly so far. 

 

Just need clarification on this:
"Do not use the same web server certificate on ClearPass and the controller."

 

Can you please explain what will be the client behaviour if the same cert is used? Just want to make sure I can explain this to my customer so he knows it is essential that a different cert for his HP MSM controllers. 

Guru Elite

Re: CPPM Certificates

1) the controller intercepts the CN
2) it's poor security practice

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: CPPM Certificates

Thanks for the confirmation. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: