09-24-2015 07:51 AM
We recently expanded our clearpass from 2 servers (publisher and subscriber) to 4 servers (publisher and 3 subscribers). Running 6.5 patch 3. We have a public cert (Radius and ssl are the same public cert ). We use CPPM to send system owned windows domain machines to Active Directory for 802.1x authentication. We also use CPPM for onboarding personal (non system owned) machines and also onboard system owned (non domain devices). We are discussing the proper steps to implement a new public cert. since we have added the additional servers.
We have thousands of devices that are already onboarded. And are trying to understand fully what to expect when installing a new public cert for CPPM (radius/ssl)
1) For devices that are already onboarded, when we install the new public cert on the 4 CPPMs will this break the previously onboarded user's connectivity?
2) If yes, will those devices have to fully re-onboard to get the new cert? Can you help me understand why specifically? We had a meeting with our server and security team and this question came to light. Trying to wrap our heads around why specifically?
3) Is there any correlation to the public cert and the onboard (clearpass issued) cert?
Say our clearpass issued onboard cert is good for X number of days, so depending upon when you enroll is when you have to reonboard again I believe. If a user onboards a device, then a month later our public cert expires, will they have to re-onboard that soon b/c public cert?
Do we need to consider anything for the clearpass cert when we do the public cert?
4) Are there any recommendations or best practises?
09-24-2015 08:05 AM - edited 09-24-2015 08:07 AM
1) If Onboard was configured to trust an exact server certificate instead of the signing CA, then your clients will likely receive a popup asking them to accept the new certificate.
2) Shouldn't have to. Most devices will receive a popup. You will however want to reconfigure your provisioning and network profiles so new devices receive the correct settings.
3) In the case of using a public RADIUS server, no. They server separate functions.
4) Try to use the same RADIUS server certificate on all servers. It eliminates quite a few issues.