Security

Reply
Occasional Contributor II

Distributed Deployment

Hi Experts,

My CPPM nodes will be deployed as a distributed deployment design. In this design, we need to have certificate for each nodes right or we can just use wildcard certificate for the clustering?

Thanks

Guru Elite

Re: Distributed Deployment

For HTTPs, you can use a single certificate with SANs, individual certs or a wildcard cert.

For EAP, you'd use a single generic certificate across the whole cluster.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Deployment

Hi cappalli,

Thanks for the feedback but what do you mean for EAP I should use generic certificate across the deployment?

I still need to manually import those in each nodes right?

Thanks

Guru Elite

Re: Distributed Deployment

Yes, you'll still need to import it, but you should use the same certificate for EAP across the whole cluster. Something generic (networklogin.domain.xyz, clearpass.domain.xyz, secureauth.domain.xyz, etc)


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Deployment

Hi cappalli,

Thanks for the feedback.

In addition to this concern, is it possible in ClearPass to do EAP-Chaining so that it will check machine auth and user auth before giving access to the endpoint?

Technically, in my endpoint it has machine certificate and user certificate right?

Thanks

Guru Elite

Re: Distributed Deployment

EAP-chaining is a Cisco proprietary method that requires client software on the device.

 

ClearPass uses native Computer + User authentication that's baked into Windows.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Deployment

Hi cappalli,

How can I do that in ClearPass the one that you are talking about?

Thanks.

Guru Elite

Re: Distributed Deployment

You may want to work with your Aruba partner. 802.1X needs to be carefully planned out to be succesful.

 

ClearPass will automatically tag the authentication with [Machine Authenticated] when the computer account is used and [User Authenticated] when the user account is used. You can write a rule that checks for both of them. You also need to be sure the supplicant is configured correctly via group policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Distributed Deployment

Hi cappalli,

But this machine and user authentication can come from the machine cert and user cert right?

Thanks

Guru Elite

Re: Distributed Deployment

Yes, although using EAP-TLS on shared machines with computer + user is not recommended as the user certificate has to be downloaded into the local user store prior to authentication which creates a race condition.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: