03-09-2015 06:14 AM
I have a question regarding the certificates on ClearPass subscribers.
ClearPass version 6.4.4.
Currently I configure a three node cluster with one publisher and two subscribers.
I would like to have a common name for Guest registration pages and unique names on each host for Radius.
Most of the clients are non-managed BYOD clients and only trust public CA's. A certificate from internal CA isn’t an option.
Onboarding isn't planned to be implemented.
What would be the best certificate strategy?
Option 1. One SAN enabled certificate with one CN like clearpass.domain.com for https and the FQDN for each host as SAN for the Radius service
Option 2. Unique certificates for both https and radius
Option 3 Any suggestions appreciated
Solved! Go to Solution.
03-09-2015 06:22 AM
In my opinion Option 1
I would definately make the the radius certficate common among all of the applicances if you have roaming clients or they would connect to all appliances so that they don't have to accept a different certificates. I would have a common CN and multiple SAN's for each appliance.
03-09-2015 09:25 AM