03-26-2015 06:50 AM
I have 2 CP-VA-5K's in the standard publisher/subscriber configuration using a VIP of 10.XX.X.30, CPPM01 is 10.XX.X.31, and CPPM02 is 10.XX.X.32. They both have the correct 3rd party trusted root certificate with SAN entries for CPPM, CPPM01, and CPPM02. The 7210 controllers point clients to cppm.XXXXX.com for authentication.
When IOS clients (thats all i've tested so far) connect they get prompted one time to trust the cert from CPPM01.XXXXX.com, when I test failover and they authenticate to the subscriber CPPM02 they get prompted again to trust the cert from CPPM02.XXXXX.com.
Is there any way by using the "hostname" and "FQDN" fields in both CPPM servers to have clients only see CPPM.XXXXX.com so if/when they failover to the subscriber they dont get prompted again to trust the cert? Hoping that makes sense.
Solved! Go to Solution.
03-26-2015 06:54 AM
name as the common name and use the same certificate on both servers.
For example if your servers were:
Use cppm.domain.com as the common name and add the above 2 in the SAN.
Keep in mind that for RADIUS, the common name doesn't have to match the DNS
name of the server. It is just what is presented to the client.
Many universities use a generic "wireless.university.edu" as the CN so it's
easy to understand by users.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
03-26-2015 06:56 AM
the CN on the cert is indeed CPPM.XXXXX.com, SAN entries are CPPM.XXXXX.com, CPPM01.XXXXX.com, and CPPM02.XXXXX.com.
I wonder if this may be an IOS only issue. I can test with Android later today.
03-26-2015 07:07 AM
Fixed! Thank you Tim,
When the subscriber synced to the pub the trust list replicated but not the certificate. I failed to change to CPPM02 when I was verifiying the server certificate page. I checked CPPM02 and it did have the default cert. I imported the correct cert and its working properly now.
03-26-2015 09:50 AM
Certs have to be loaded indivdually on to each node, we do not sync them for the RADIUS or TLS servers.
Snr Tech Marketing Engineer - ClearPass
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.