Security

We currently have a cluster of one Pub/Sub CPPM.  Both have same Internal RADIUS server certificate installed & currently used for a SSID(EAP-TLS  authentication). New plan is to deploy one more SSID and use EAP-TLS aswell however these 2 SSID/Users are in completely different environment.  

My question is can I install one more internal RADIUS server certificate on pub/sub and use it for this new SSID? So two SSID will use different internal cert to authenticate? Only reason I want to do is not to Mix different envirnoment using same cert to authenticate. 

You can only deploy one radius and one https certificate and must be the same at the publisher and subsciber node.

The client check the radius server certificate against his ca trustlist, to trust the clearpass server

Clearpass check the machine and or user certificate against his ca trustlist to trust the machine or user.

If you look in clearpass accesstracker you can see that an eap-tls authentication have just a ieft-radius-username with the value “username” or “machine name” that will authenticated against your authentication server.

So there is no issue. You can make roles and enforcementprolfiles based on for example “authentication source equals “ad1”. Or make roles bases on ad groupmembeship OU.

Hope this help you!

You can use a per-service EAP server certificate but it really needs to be planned out well. You need to scope the service on something like SSID or username format.

Also, keep in mind that the server identity has nothing to do with the client certificate trust chain. Said differently, you can use the same EAP server cert with different client cert issuers.

Tim is also right 👍