Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Radius Certificate - Replace internal with GoDaddy

This thread has been viewed 4 times

  • 1.  Clearpass Radius Certificate - Replace internal with GoDaddy

    Posted Aug 05, 2015 06:12 PM

    Hello, thanks for your help.  We have an SSID with 802.1x WPA2 auth.  Currently when windows laptops connect to the SSID they have to uncheck "validate server certificate" in order to not get a warning when they sign on to the wifi.  Our clearpass RADIUS certificate is from our Active Directory domain controller/CA.  Our clearpass server's hostname for sake of argument is clearpass.corp.abc.biz   We have a wildcard cert from godaddy that is for *.corp.abc.biz    

    If I replace the current Clearpass RADIUS server certificate (from our Active Domain Controller) with the GoDaddy cert, will this cause any disruption to our wifi clients?  Will they have to "forget" the wifi network and reconnect?  Will this cause authentication to fail?  Thanks.



  • 2.  RE: Clearpass Radius Certificate - Replace internal with GoDaddy

    EMPLOYEE
    Posted Aug 05, 2015 06:15 PM
    You cannot use wildcard certs for .1x on windows devices



    Thank you,
    Troy Arnold
    Sorry for any typos sent from my mobile


  • 3.  RE: Clearpass Radius Certificate - Replace internal with GoDaddy

    EMPLOYEE
    Posted Aug 05, 2015 06:15 PM

    You should not use a wildcard certificate for RADIUS. You will need to request a standard SSL certificate.

    Once you do that, since clients are configured to not validate the cert ( not recommended), the clients should still be able to authenticate successfully.

     

    Also, it sounds like you are referring to the informational box that pops up asking you trust the certificate? Using a public certificate will not stop this message. This is a normal part of EAP-PEAP. The only way for that message to not appear during the first connection is to preconfigure your clients using something like Group Policy, Profile Manager, MDM, QuickConnect, etc.



  • 4.  RE: Clearpass Radius Certificate - Replace internal with GoDaddy

    Posted Aug 05, 2015 06:33 PM

    Thanks guys.  We currently have to uncheck this box in order to sign on to the wifi.  I was hoping by replacing my Clearpass Radius certificate (from my Domain controller) with the GoDaddy one that we would no longer have to uncheck this box.  But maybe this is not the case?  Thanks.

     

    step 7.jpg



  • 5.  RE: Clearpass Radius Certificate - Replace internal with GoDaddy

    EMPLOYEE
    Posted Aug 05, 2015 06:35 PM

    Yes. You should never uncheck validate server certificate or clear the server name check.

     

    How long have you been running it this way? It's a huge security risk. You might want to have your users change their passwords once you deploy the new certificate.