Security

Reply
Occasional Contributor II

CPPM - Using same public certificate for Captive Portal and Radius Server

Hi all,

I've wireless network with two SSID, one corporate with 802.1x authentication and a guest network with captive portal configured on CPPM.

Actually termination of 802.1x session is on controller (Aruba 3200 (master) and Aruba 7030 (local)) and we are planning to move authentication directly on CPPM. On ClearPass I've just installed a public certificate for captive portal (as HTTPS Server Certificate) so my question is: Can I use same certificate also as Radius Certificate? I can't use self-signed ceritificate because I don't want uncheck manually "validate certificate server" on wireless network card settings because I've about 300 laptops.

 

Thanks to all 

Guru Elite

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

As long as it's not a wildcard or EV certificate, yes you can.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

Ok,

I checked and I found that we have "*.domain.net" certificate, so it is a wildcard certificate. But, I'm new in this area, why I can't use it for both service? Do you know some workaround for this?

Guru Elite

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

Some client operating systems will reject a wildcard certificate for EAP (which is a good thing from a security standpoint). You should acquire a basic, single name certificate for use with EAP (auth.domain.xyz, network-login.domain.xyz, etc).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

If these clients are in Active Directory, you can use group policies to push out your private CA root certificate and the WLAN settings.

 

Check out Aruba ClearPass Workshop - Wireless #4 - AD Client Certificates EAP-TLS to see how you can set that up, where this video even enrolls client certificates.

 

If you request a new public RADIUS certificate for ClearPass, try to get one that has the longest lifetime as possible (5-10 years). Changing RADIUS certs can be risky, especially when you switch CAs, or you CA internally switches intermediate CAs.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

Hi,

before buy a new public certificate, I tried to set group policy in the active directory domain but unfortunately it doesn't work. We configure a wireless network with WPA2 Enterprise - AES, authentication method: Microsoft PEAP with authentication user or computer and unccheck "validate server certificate" but when I try to connect on clear-pass authentication was rejected with alerts:

"EAP-PEAP: fatal alert by client - unknown_ca eap-tls: Error in establishing TLS session".

Did I miss something? I have to add CPPM certificate on wireless configuration?

Until now  we use termination on the controller, but default certificate is expired on 08/11/2017 and, so we would pass authentication  directly on CPPM.

As I can't use wildcard certificate on CPPM I created a Self Signed Certificate

 

Thanks for you help

 

Best Regards

Guru Elite

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

As mentioned, before you go any further, you need to acquire a public CA-signed, single domain certificate.

You should NEVER uncheck validate server certificate. With that unchecked, all of your user's credentials are at risk.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

Ok,

thanks for the advise, but unfortunately, due to some internal issue we couldn't buy a public CA for the moment, we are using a trial certificate on controller and it will expire soon.

If I would use Self Signed certificate, created by CPPM, if you known or if there is some "how to" etc.., There is a way to update Authority Certification List on windows wireless client via GPO in active directory?  

 

Thanks

 

Giuseppe Pasinelli

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

This video (and some other parts of the series) may help.

If you don't have AD Certificate Services, which automatically pushed its root into the domain computers, you should be able to do it in the GPO:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities:

ca-policy.png 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Guru Elite

Re: CPPM - Using same public certificate for Captive Portal and Radius Server

Self-signed certificates are NEVER recommended for EAP as many clients will reject them.

If you choose to use one, yes you'd have to use group policy to install it into the local cert store and also configure the 802.1X supplicant.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: