Security

Reply
Frequent Contributor I
Posts: 96
Registered: ‎08-05-2013

ClearPass - RADIUS Cert Question

My current RADIUS cert is set to expire in a couple days and Clearpass is giving me the red notification across the top "The RADIUS Server Cert will expire in 2 day(s)".  I created a CSR, had it signed by our PKI CA, then imported the cert, private key file and password.  On the cert page it shows the cert as valid and the expiration date changed to match the 5-year cert expiration.  However, the red warning stating the cert will exire in 2 days is still at the top of the page.  

Two questions:

1. Does this cert need to be referenced/changed anywhere else in ClearPass, other than the Server Certificate/RADIUS Certificate page?

2. Will a 5-year web server certificate suffice for the certicate type?  

 

It should be noted that I have a subscriber in the cluster and I changed the cert on that one yesterday and the expiration error message went away. Finding it out of the ordinary that the one on the publisher is staying around. 

 

Thanks!

Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass - RADIUS Cert Question

That should be all you need to do.



I would open a TAC case just to make sure everything is OK.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 96
Registered: ‎08-05-2013

Re: ClearPass - RADIUS Cert Question

Thanks for the quick reply as always, Tim.  Came in this morning and it's gone.  Looks like it cleared itself when the alert timer changed from 2 days to 1 day.  

MVP
Posts: 447
Registered: ‎11-04-2011

Re: ClearPass - RADIUS Cert Question

This is normal behavior. The certificate warning seems to be generated during the nightly maintenance and disappears again when at the next run it appears that the certificate is valid again. I have not found a way to trigger this, I believe I even restarted the ClearPass appliance without success but the next day the warning was gone after I replaced the cert.

 

You made a good decision to get a 5-year certificate, as it reduces the maintenance of your certificates. Take the certificate valid as long as possible, at least for RADIUS.

 

Replacing the certificate with '2 days to go' is risky, as I have seen many cases where the certificate request/issue process can be delayed on formalities like signatures. Most times it will be okay, but you don't want to risk your ClearPass certificate to expire. Bear in mind that some clients with clock offsets (can be days) will not accept the cert when according to their clock the certificate expires. I would try to have your certificate replaced at least a week before expiration, and if possible few hours/days after issuance.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Frequent Contributor I
Posts: 96
Registered: ‎08-05-2013

Re: ClearPass - RADIUS Cert Question

Thanks for the great information, Herman. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: