Security

Reply
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Clearpass onboard Certificates

Hi guys,

 

1. is there any special reason for clearpass to push the radius certificate into the trusted root certificate authorities store in windows? I am a little confused by this.... i was thinking it should only push the root CA and the intermediate CA but what is the reason to push the clearpass radius certificate to the users?

 

2. My radius certificate is expiring in a couple of days.... the other 2 ceritificates highlited in my attached image is showing the root CA and my intermediate CA, so my next question is, if i renew the RADIUS certificate in clearpass does it need to be the same CN for the certificate? or it can be any name as long as the device have the root CA and the intermediate CA it will be able to validate the radiusserver identity.

 

Thanks 

 

 

MVP
Posts: 520
Registered: ‎05-11-2011

Re: Clearpass onboard Certificates

Hello!

In regards to question #2..

 

Is this just for Onboard or company 802.1x?

In general for 802.1x..

 

In your Windows SSID profile - do you have "Validate Certificate" checked? Also - do you have "Connect to these servers" with a fqdn entered in here?

 

If you do - then you absolutely don't want to change the CN in the certificate since that would cause windows to NOT connect. In Clearpass you would be seeing alot of timeouts with errors like "Client did not complete EAP transaction".

 

If you want to change the CN you should change the GPO that push your SSID profiles and add the new name as valid servernames to connect to.

 

For Onboard.. If you change the Radius CN I'm pretty sure it would break the certificate validation for the currently enrolled devices and make them unable to logon. Depending on the type of device it might just cause them to get a popup just to authenticate connecting to that new server. Still - more noice for support which I'm sure you don't want ;)

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: Clearpass onboard Certificates

if that is the case, evidently something is not working for me, i am attaching a couple of screenshots of how my windows computer is setup and then i changed the radius cert in clearpass and the computer is still able to connect... btw all this certs and the profile were pushed by quick connect the first time the device onboarded...

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Clearpass onboard Certificates

1) It's to ensure the broadest compatibility between clients. 

 

2) If the supplicant is configured to validate the root CA and common name, you should be fine with a new certificate from the same issuer with the same common name.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Clearpass onboard Certificates

Reboot the machine and see if it still authenticates.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 58
Registered: ‎05-22-2016

Re: Clearpass onboard Certificates

[ Edited ]

No, it is still working, i rebooted the computer and it is still authenticating the user...

Search Airheads
Showing results for 
Search instead for 
Did you mean: