05-27-2017 11:51 PM - last edited on 05-30-2017 05:05 AM by cappalli
I have an already working set up of Aurba controller 3600 using Guest module of Clearpass.
This have been working the last few years without any issues but we would like now to publich a public IP for clearpass in order for it to have a trusted certificate an avoid warnings while users try to connect.
I have checked the system tab under server configuration but I only see one space for IP server. The new public IP will be used for data and mngmt.
Is it possible to change this without interrumpt the service?
How should I proceed to minimize effect on this change?
Thank you in advance!
05-28-2017 11:43 PM
I've been checking lately for a SSL certification and something in common they told me it can only be used on domain, for which I require a public IP.
Could you please advice how can I proceed then? I need to avoid thos warnings when captive portals pops up.
05-29-2017 02:23 AM
You need to first create a CSR file and get it singed with external Certificate Authority and install that certificate on clearpass to prevent users getting certificate warning messages while accessing the portal page.
05-29-2017 06:27 AM - edited 05-29-2017 06:30 AM
You need to have a public SSL certificate. I always use openssl to generate the CSR (certificate signing request), which you need to get signed by a public CA (certificate authority). You can use my blog post to generate the certificate via openssl. I always use openssl and not generate the CSR directly on ClearPass or another server. The advantage of openssl is, that you always have a full backup, including the private key, of the certificate and you can easily change the format of the certificate from PEM to PFX to DER to whatever.
I would suggest you configure an IP address on the management interface for all internal communication and next you configure an IP address on the data interface, which you place in a DMZ network. On your firewall you can configure a NAT mapping to translate a public IP address to the private DMZ IP address of the ClearPass data interface. You can use the firewall to restrict access to the data interface, so only HTTPS is allowed to the specific IP address.
Co-owner/Solution Specialist@4IP / blog firstname.lastname@example.org
05-29-2017 06:47 AM
05-29-2017 11:21 AM
The SSL companies will want to validate your domain (using WHOIS is the fastest method). They will send an e-mail to the e-mail address related to the WHOIS info of the domain.
Say your public domain is labme.com and your CPPM server is offline but still has DNS entry (common name) cppm.labme.com, you can issue it a public cert without problems
05-30-2017 05:44 AM
Get Outlook for iOS
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
06-11-2017 12:55 AM
Thank you for the reply to everyone and sorry for the delay. I have been busy with other projects.
Actually, I don't want a public IP, it requieres to change my setup and I prefer to change the less possible on the setup. What I want is to have an SSL certificate on my CPPM to certify the server.
My clients connect from remote locations to RAP's, the raps locate the clients in the VLAN where my CPPM without public access is, but we always have the warning of trusted server.
I you can give me the steps to have an SSL certificate, from the CSR generation up to the installation and any other required setup I would appreciate it.