04-18-2017 08:36 PM
1. is there any special reason for clearpass to push the radius certificate into the trusted root certificate authorities store in windows? I am a little confused by this.... i was thinking it should only push the root CA and the intermediate CA but what is the reason to push the clearpass radius certificate to the users?
2. My radius certificate is expiring in a couple of days.... the other 2 ceritificates highlited in my attached image is showing the root CA and my intermediate CA, so my next question is, if i renew the RADIUS certificate in clearpass does it need to be the same CN for the certificate? or it can be any name as long as the device have the root CA and the intermediate CA it will be able to validate the radiusserver identity.
04-19-2017 12:17 AM
In regards to question #2..
Is this just for Onboard or company 802.1x?
In general for 802.1x..
In your Windows SSID profile - do you have "Validate Certificate" checked? Also - do you have "Connect to these servers" with a fqdn entered in here?
If you do - then you absolutely don't want to change the CN in the certificate since that would cause windows to NOT connect. In Clearpass you would be seeing alot of timeouts with errors like "Client did not complete EAP transaction".
If you want to change the CN you should change the GPO that push your SSID profiles and add the new name as valid servernames to connect to.
For Onboard.. If you change the Radius CN I'm pretty sure it would break the certificate validation for the currently enrolled devices and make them unable to logon. Depending on the type of device it might just cause them to get a popup just to authenticate connecting to that new server. Still - more noice for support which I'm sure you don't want ;)
-ACMX #316 :: ACCP-
Intelecom - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
04-19-2017 07:41 AM
if that is the case, evidently something is not working for me, i am attaching a couple of screenshots of how my windows computer is setup and then i changed the radius cert in clearpass and the computer is still able to connect... btw all this certs and the profile were pushed by quick connect the first time the device onboarded...
04-19-2017 08:19 AM
1) It's to ensure the broadest compatibility between clients.
2) If the supplicant is configured to validate the root CA and common name, you should be fine with a new certificate from the same issuer with the same common name.