Security

Reply

CPPM - different radius server cert for different services

I don't think this is possible, so probably more of a feature request, but nevertheless interested in feedback.

 

Is it possible to use a different radius server cert for different services in CPPM?  The user case I'm thinking is that for corp/domain devices the internally signed server cert is presented.  For non-domain/byod devices using EAP-PEAP, they would be presented with a publicly signed server cert and hence a seamless experience.

 

NPS seems to have this capability and would be nice if it was possible in Clearpass as well.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Aruba

Re: CPPM - different radius server cert for different services

You can setup multiple root CA in onboarding so the device can have a different signing trust chain but they all will have to trust the one radius cert.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: CPPM - different radius server cert for different services

yeah, was wondering without the onboarding though.

 

Most byod deployments I come across are about just giving personal devices internet only with AD authentication.  EAP-PEAP is fine for that, but having the warning about an untrusted cert is not a seamless experience.

 

Feature request it is then.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Guru Elite

Re: CPPM - different radius server cert for different services

The current solution is to use QuickConnect or a public RADIUS certificate.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: CPPM - different radius server cert for different services

I have to agree with capalli on that one.  The accepted solution is to use a public certificate that ALL of your clients trust.  That is the way most radius servers accomplish this.  With regards to the MSFT server supporting this, once an incoming authentication hits an EAP rule, the NPS server has to do something with it, or drop it, otherwise you will get a mismatch.  It will not allow you to process EAP rule after EAP rule for matches...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: CPPM - different radius server cert for different services

Agreed.  So on that note with a public server cert.

 

With EAP-TLS, does it matter if the server cert and client certs are signed by different CAs?


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Guru Elite

Re: CPPM - different radius server cert for different services

No, as long as your server trusts the root.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba

Re: CPPM - different radius server cert for different services

Please keep in mind and make sure you start explaining to your customers that starting next year most CA will not issue private certs for radius . Its has already been stated by the CA org and some of the vendors that they will revoke any cert for a domain that is not publicly accessible. 

 

This is the time to start to educate customers and users on what should be done when connecting to a private networks. The pros and cons etc....

 

I know a lot of users and customers will complain but what is better "easy to use" or "not having their data and credit card information stolen" :) If they want an easier to use then they need to consider using QuickConnect or OnBoarding. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: CPPM - different radius server cert for different services

Guys, great info.  The few times I've used a public signed cert for radius, it was used for https as well so had a proper resolvable fqdn.

 

For others who stumble upon this, some further info to what Troy mentioned.

 

https://www.digicert.com/internal-names.htm

 

All the gory details about the baseline requirements here.  Page 10 of v_1_1_9 has the relevant info mentioned above.

 

https://cabforum.org/baseline-requirements-documents/


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: