Security

Reply
Frequent Contributor II

Certificate architecture for CPPM RADIUS

Hello,


While deploying 802.1x wired to our network we determined that the default certificate the ClearPass Policy Manager is using is a self-signed certificate.  We could certainly push this out to devices and make the self-signed setup work, but ideally we would not do so for a couple reasons:

 

  • OpEx of managing a new certificate store
  • De-centralization of certificate management

We have an internal PKI that I am tempted to use by generating a CSR from each of our publisher/subscriber servers, signing, then importing.  These certificates would then have to be all loaded onto each laptop in the company.  We'd also have to do some manual work to ensure that the internal PKI is in the Trusted Root store of all company laptops.


Another option is to use a public CA, something like a DigiCert, and follow the same process.  In this case the DigiCert CA would likely already be in the laptop's Trusted Root store, so we may have a little less work to do.

 

I'd like to see what Aruba/ClearPass suggests as an overall architecture recommendation for RADIUS certificates as a best practice.  Is it recommended to use a public CA for your RADIUS certificates?

rwin = 0
Guru Elite

Re: Certificate architecture for CPPM RADIUS

If you’re using EAP-TLS exclusively (recommended), a private/internal/Onboard EAP server certificate with an extended lifetime is recommended.

 

If you’re using legacy EAP methods like PEAP and EAP-TTLS, the answer varies:

 

If all of your client devices are managed in some way, shape or form, a private/internal EAP server certificate can be used.

 

If there is a mix of managed and unmanaged devices, a public CA-signed EAP server certificate can be used which will remove the requirement to manually install a CA on the device. However, the client still needs to be properly configured for server trust. This is why these legacy protocols should no longer be used. Another caveat is the max certificate lifetime of a public CA-issued certificate is now 2 years and is expected to drop to 1 year in near future. This futher emphasizes the recommendation to move to a modern method like EAP-TLS where an internal trust can be used/built.

 


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Certificate architecture for CPPM RADIUS

Thanks Tim! That pretty much answers my question, so I guess we'll verify the method we're using and likely go with an internal PKI.

Man you're full of good information :)

rwin = 0
Contributor I

Re: Certificate architecture for CPPM RADIUS

to say it again like it is said above. If you are using TLS for auth of clients I would suggest you use an internal CA.

 

If using EAP-PEAP use a public wildcard. 

 

In both situations make sure you are setting up your trust of the radius cert within the wireless profile on the computer. Otherwise no matter what cert you use the user will have to at least accept it for the first time. Windows and Apple have move to a method of not using the trusted CA on the computer for wireless auth but setting the trust server settings over rides the prompting.

Guru Elite

Re: Certificate architecture for CPPM RADIUS

Never use a wildcard for an EAP server certificate.

Also, users should never be just accepting the certificate themselves. The supplicant should be properly configured or their credentials are at risk.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Certificate architecture for CPPM RADIUS

...

Guru Elite

Re: Certificate architecture for CPPM RADIUS

There are many OS version combinations that will reject a wildcard certificate. They should never be used for an EAP server certificate.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Certificate architecture for CPPM RADIUS

sorry mis-spoke. The Guest Portal is setup with a public wildcard. For Radius we are using 1 cert for 3 boxes by popularing the SAN field with the name of all 3 servers. Again if you don't have an internal CA use a public cert and tie the client to the name and cert of the clearpass servers. 

 

Guru Elite

Re: Certificate architecture for CPPM RADIUS

Just an FYI (it will save you a bunch of money), the EAP server certificate only needs a single, generic name for the common name (and is automatically populated to the SAN). Ex: secure-login.yourdomain.com

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Certificate architecture for CPPM RADIUS

So let's say my publisher server sends in a CSR to my internal PKI.  The CA signs it, then I import it to the publisher server.  I can then use that for 802.1x EAP-TLS authentication if I also import the certificate onto my corporate laptop (we trust the internal CA already).

 

Question - do I have to do the same for all my other subscriber servers, or can I use a SAN alternate name for each of the other subscribers, then import that same CSR that was signed?

rwin = 0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: