Security

Reply
Frequent Contributor II

CPPM Termination Cluster with Certificate using Multiple Subject Alternative Names

I am trying to verify that this will work before purchasing a new certificate. I'm moving from MS NPS to ClearPass for RADIUS authentication and need a new certificate. I have two ClearPass servers configured in a cluster with no shared VIP. Can I use one certificate with multiple SANs on both devices?

 

for instance the FQDN for both boxes are clearpass01.domain.com and clearpass02.domain.com

 

I was going to make the main url clearpass.domain.com and the two SANs

clearpass01.domain.com

clearpass02.domain.com

 

Will this work or do I need to get a certificate for each server? I was using a wildcard for certificate validation on the supplicant.

 

Thanks,

 

Rosie

Guru Elite

Re: CPPM Termination Cluster with Certificate using Multiple Subject Alternative Names

Yes, you can.

 

The common name should be something generic as this is what will be presented users when tunneled EAP methods are in use. Each server should have a SAN defined.

 

The supplicant only needs to be configured for the common name. SANs are ignored with EAP.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: