Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM VIP setup and hostnames presented to clients

This thread has been viewed 3 times

  • 1.  CPPM VIP setup and hostnames presented to clients

    Posted Mar 26, 2015 09:51 AM

    Hello all,

     

    I have 2 CP-VA-5K's in the standard publisher/subscriber configuration using a VIP of 10.XX.X.30, CPPM01 is 10.XX.X.31, and CPPM02 is 10.XX.X.32. They both have the correct 3rd party trusted root certificate with SAN entries for CPPM, CPPM01, and CPPM02. The 7210 controllers point clients to cppm.XXXXX.com for authentication. 

     

    When IOS clients (thats all i've tested so far) connect they get prompted one time to trust the cert from CPPM01.XXXXX.com, when I test failover and they authenticate to the subscriber CPPM02 they get prompted again to trust the cert from CPPM02.XXXXX.com.

     

    Is there any way by using the "hostname" and "FQDN" fields in both CPPM servers to have clients only see CPPM.XXXXX.com so if/when they failover to the subscriber they dont get prompted again to trust the cert? Hoping that makes sense.


    #7210


  • 2.  RE: CPPM VIP setup and hostnames presented to clients

    EMPLOYEE
    Posted Mar 26, 2015 09:54 AM
    The only way to get around this would be to use a SAN cert with a generic
    name as the common name and use the same certificate on both servers.



    For example if your servers were:



    Cppm1.domain.com

    Cppm2.domain.com





    Use cppm.domain.com as the common name and add the above 2 in the SAN.



    Keep in mind that for RADIUS, the common name doesn't have to match the DNS
    name of the server. It is just what is presented to the client.



    Many universities use a generic "wireless.university.edu" as the CN so it's
    easy to understand by users.


  • 3.  RE: CPPM VIP setup and hostnames presented to clients

    Posted Mar 26, 2015 09:57 AM

    Thanks Tim,

     

    the CN on the cert is indeed CPPM.XXXXX.com, SAN entries are CPPM.XXXXX.com, CPPM01.XXXXX.com, and CPPM02.XXXXX.com.

     

    I wonder if this may  be an IOS only issue. I can test with Android later today.

     



  • 4.  RE: CPPM VIP setup and hostnames presented to clients
    Best Answer

    EMPLOYEE
    Posted Mar 26, 2015 10:00 AM

    Are you using the same cert on both servers?



  • 5.  RE: CPPM VIP setup and hostnames presented to clients

    Posted Mar 26, 2015 10:07 AM

    Fixed! Thank you Tim,

     

    When the subscriber synced to the pub the trust list replicated but not the certificate. I failed to change to CPPM02 when I was verifiying the server certificate page. I checked CPPM02 and it did have the default cert. I imported the correct cert and its working properly now.

     

    Thanks again,



  • 6.  RE: CPPM VIP setup and hostnames presented to clients

    Posted Mar 26, 2015 12:51 PM

    Certs have to be loaded indivdually on to each node, we do not sync them for the RADIUS or TLS servers.