Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎12-15-2014

CPPM VIP setup and hostnames presented to clients

Hello all,

 

I have 2 CP-VA-5K's in the standard publisher/subscriber configuration using a VIP of 10.XX.X.30, CPPM01 is 10.XX.X.31, and CPPM02 is 10.XX.X.32. They both have the correct 3rd party trusted root certificate with SAN entries for CPPM, CPPM01, and CPPM02. The 7210 controllers point clients to cppm.XXXXX.com for authentication. 

 

When IOS clients (thats all i've tested so far) connect they get prompted one time to trust the cert from CPPM01.XXXXX.com, when I test failover and they authenticate to the subscriber CPPM02 they get prompted again to trust the cert from CPPM02.XXXXX.com.

 

Is there any way by using the "hostname" and "FQDN" fields in both CPPM servers to have clients only see CPPM.XXXXX.com so if/when they failover to the subscriber they dont get prompted again to trust the cert? Hoping that makes sense.

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: CPPM VIP setup and hostnames presented to clients

The only way to get around this would be to use a SAN cert with a generic
name as the common name and use the same certificate on both servers.



For example if your servers were:



Cppm1.domain.com

Cppm2.domain.com





Use cppm.domain.com as the common name and add the above 2 in the SAN.



Keep in mind that for RADIUS, the common name doesn't have to match the DNS
name of the server. It is just what is presented to the client.



Many universities use a generic "wireless.university.edu" as the CN so it's
easy to understand by users.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎12-15-2014

Re: CPPM VIP setup and hostnames presented to clients

Thanks Tim,

 

the CN on the cert is indeed CPPM.XXXXX.com, SAN entries are CPPM.XXXXX.com, CPPM01.XXXXX.com, and CPPM02.XXXXX.com.

 

I wonder if this may  be an IOS only issue. I can test with Android later today.

 

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: CPPM VIP setup and hostnames presented to clients

Are you using the same cert on both servers?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎12-15-2014

Re: CPPM VIP setup and hostnames presented to clients

Fixed! Thank you Tim,

 

When the subscriber synced to the pub the trust list replicated but not the certificate. I failed to change to CPPM02 when I was verifiying the server certificate page. I checked CPPM02 and it did have the default cert. I imported the correct cert and its working properly now.

 

Thanks again,

Moderator
Posts: 476
Registered: ‎11-09-2012

Re: CPPM VIP setup and hostnames presented to clients

Certs have to be loaded indivdually on to each node, we do not sync them for the RADIUS or TLS servers.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: