Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Cert Security - Controller Cert CN

Let me preface this with the following: I am not a certificate expert.

 

I'd like to know if there should be any concern about the CN in the cert that I issue to my controller since anyone attempting to authenticate will see the certificate from the controller?  I try to protect internal name space and IP space as much as possible, and I'm not sure if it's worth worrying about here.  I've considered using external PKI and obscure CNs instead of the controller name and internal PKI.

 

I'd appreciate any feedback you have regarding this.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: Cert Security - Controller Cert CN

[ Edited ]

thecompnerd wrote:

Let me preface this with the following: I am not a certificate expert.

 

I'd like to know if there should be any concern about the CN in the cert that I issue to my controller since anyone attempting to authenticate will see the certificate from the controller?  I try to protect internal name space and IP space as much as possible, and I'm not sure if it's worth worrying about here.  I've considered using external PKI and obscure CNs instead of the controller name and internal PKI.

 

I'd appreciate any feedback you have regarding this.


It does not matter.  Clients do not need ip access to the fqdn of a radius server to use it.  The controller sits between the client and the radius server and abstracts this.  You can block clients from your management networks, which could be where your radius server is, and have your client still authenticate to it.  A 802.1x transation is mutual.  That means the radius server would need your username and password and the client can validate the certificate of the device that it is connecting to.  Your client can decide NOT to validate the certificate of the radius server, but it will always be able to see it.

 

 Only if a client needs to authenticate via a captive portal does it need to actually have ip access to the server, and you can always dictate what protocols that client connects to the server with...

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: