Security

Reply
Occasional Contributor II

Clearpass Certs - Why Seperate?

When configuring Clearpass for both RADIUS and Guest Access, I am curious why the recommendation is to have seperate certificates for each. 

 

If you dont have an internal PKI and want trusted certs for Radius, you need to get a publicly signed cert. Same goes for Guest. There is a white paper that suggests to get a seperate cert for each. Why not apply the same Cert to both RADIUS and HTTPS and save money? Its the same server name. 

 

The only thing I can think is that if one of the certs gets compromised, then really both have been compromised. 

 

Thanks!

 

Guru Elite

Re: Clearpass Certs - Why Seperate?

The short, brief answer is for flexibility. There are a lot of discussions about certs that need to happen when deploying 802.1X. It's best to reach out to your Aruba ClearPass partner so they can assist with that discussion and design.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Clearpass Certs - Why Seperate?


Airhead123 wrote:

When configuring Clearpass for both RADIUS and Guest Access, I am curious why the recommendation is to have seperate certificates for each. 

 

If you dont have an internal PKI and want trusted certs for Radius, you need to get a publicly signed cert. Same goes for Guest. There is a white paper that suggests to get a seperate cert for each. Why not apply the same Cert to both RADIUS and HTTPS and save money? Its the same server name. 

 

The only thing I can think is that if one of the certs gets compromised, then really both have been compromised. 

 

Thanks!

 


Tcappalli is right about flexibility.

 

The guest certificate needs to be public so that users whose devices you do not control do not get errors on their webpage.  For 802.1x and devices in a domain, it is more likely that you (1) control those devices and (2) you can produce your own self-signed domain-signed server certificate that you can allow to be as valid as long as you want.  Having a single certificate would not give you that flexibility.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: