Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Certs - Why Seperate?

This thread has been viewed 1 times

  • 1.  Clearpass Certs - Why Seperate?

    Posted Jun 25, 2016 01:15 PM

    When configuring Clearpass for both RADIUS and Guest Access, I am curious why the recommendation is to have seperate certificates for each. 

     

    If you dont have an internal PKI and want trusted certs for Radius, you need to get a publicly signed cert. Same goes for Guest. There is a white paper that suggests to get a seperate cert for each. Why not apply the same Cert to both RADIUS and HTTPS and save money? Its the same server name. 

     

    The only thing I can think is that if one of the certs gets compromised, then really both have been compromised. 

     

    Thanks!

     



  • 2.  RE: Clearpass Certs - Why Seperate?

    EMPLOYEE
    Posted Jun 25, 2016 02:13 PM
    The short, brief answer is for flexibility. There are a lot of discussions about certs that need to happen when deploying 802.1X. It's best to reach out to your Aruba ClearPass partner so they can assist with that discussion and design.


  • 3.  RE: Clearpass Certs - Why Seperate?

    EMPLOYEE
    Posted Jun 25, 2016 05:32 PM
    @Airhead123 wrote:

    When configuring Clearpass for both RADIUS and Guest Access, I am curious why the recommendation is to have seperate certificates for each. 

     

    If you dont have an internal PKI and want trusted certs for Radius, you need to get a publicly signed cert. Same goes for Guest. There is a white paper that suggests to get a seperate cert for each. Why not apply the same Cert to both RADIUS and HTTPS and save money? Its the same server name. 

     

    The only thing I can think is that if one of the certs gets compromised, then really both have been compromised. 

     

    Thanks!

     

    Tcappalli is right about flexibility.

     

    The guest certificate needs to be public so that users whose devices you do not control do not get errors on their webpage.  For 802.1x and devices in a domain, it is more likely that you (1) control those devices and (2) you can produce your own self-signed domain-signed server certificate that you can allow to be as valid as long as you want.  Having a single certificate would not give you that flexibility.