Security

Reply
New Contributor
Posts: 2
Registered: ‎01-12-2016

Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

Hey, everyone!

 

I have a working service in Clearpass, that authorizes Guest Operators against a generic ldap. In the dev environment we were able to connect via a password. In order to move to the production environment, we need to install a cert provided our PKI, and use StartTLS with the ldap directory.

 

Where do I install that cert? I thought it might be the RADIUS server certificate, but the install fails with the error that the cert I'm importing is not appropriate for use with Web Servers. It is true that my cert does not have the extended usage 'TLS Web Server Authentication', but that's not what the RADIUS server is doing anyway??

 

What am I doing wrong here? Where should my cert be installed?

Guru Elite
Posts: 20,391
Registered: ‎03-29-2007

Re: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

Are you trying to authenticate to an LDAP server over port 686?  The LDAP server must have a server certificate and the ClearPass server must have the CA certificate for the server cert that was issued to the LDAP server imported into Administration> Certificates> Trust List.

 

If that is not what you mean, please let us know...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 2
Registered: ‎01-12-2016

Re: Clearpass Auth via generic LDAP: How do I install a cert for StartTLS

I'm sorry it has taken me so long to respond to this. Thank you again for taking the time.

 

The issue is that I have been given both a 'server' certificate to identify the LDAP directory to Clearpass and a 'client' certificate that will identify Clearpass to the LDAP server. Encryption and authentication both ways without the need for passwords.

 

I can't replace the RADIUS server cert, because the cert from ldap only has the 'client' usage. Even if i did replace the RADIUS cert, I could only do that once, and therefor could only do client auth to one such data store at a time. While the directory admins have allowed, in very few cases, password binds for applications that don't support client based auth, those passwords are all stored as sha-12 hashes (which Clearpass does not currently support).

 

I need to find out if there IS some way to implement a client cert for StartTLS, and if not, get some sense of which feature (client based auth for LDAP or sha-512 for passwords) is more likely to be pursued should I make the request.

Search Airheads
Showing results for 
Search instead for 
Did you mean: