04-06-2016 08:46 AM
I have a working service in Clearpass, that authorizes Guest Operators against a generic ldap. In the dev environment we were able to connect via a password. In order to move to the production environment, we need to install a cert provided our PKI, and use StartTLS with the ldap directory.
Where do I install that cert? I thought it might be the RADIUS server certificate, but the install fails with the error that the cert I'm importing is not appropriate for use with Web Servers. It is true that my cert does not have the extended usage 'TLS Web Server Authentication', but that's not what the RADIUS server is doing anyway??
What am I doing wrong here? Where should my cert be installed?
04-06-2016 08:58 AM
Are you trying to authenticate to an LDAP server over port 686? The LDAP server must have a server certificate and the ClearPass server must have the CA certificate for the server cert that was issued to the LDAP server imported into Administration> Certificates> Trust List.
If that is not what you mean, please let us know...
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
04-12-2016 12:25 PM
I'm sorry it has taken me so long to respond to this. Thank you again for taking the time.
The issue is that I have been given both a 'server' certificate to identify the LDAP directory to Clearpass and a 'client' certificate that will identify Clearpass to the LDAP server. Encryption and authentication both ways without the need for passwords.
I can't replace the RADIUS server cert, because the cert from ldap only has the 'client' usage. Even if i did replace the RADIUS cert, I could only do that once, and therefor could only do client auth to one such data store at a time. While the directory admins have allowed, in very few cases, password binds for applications that don't support client based auth, those passwords are all stored as sha-12 hashes (which Clearpass does not currently support).
I need to find out if there IS some way to implement a client cert for StartTLS, and if not, get some sense of which feature (client based auth for LDAP or sha-512 for passwords) is more likely to be pursued should I make the request.