Security

Reply
Occasional Contributor II

Multiple server ceritficates in Clearpass?

Hi there,

 

We're currently in the process of migrating clients to use EAP-TLS. As part of the migration we need to install a second Radius server certificate on our clearpass boxes to sit alongside an existing server certificate. Is this something we're able to do?

 

We dont currently have a test environment, so not something we can verify in a lab environment.

 

We're running Clearpass 6.6.0

 

Thanks

Guru Elite

Re: Multiple server ceritficates in Clearpass?

Are the EAP-TLS certificates being issued by the same CA as the existing server certificate?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Multiple server ceritficates in Clearpass?

Yes, they will be.

Guru Elite

Re: Multiple server ceritficates in Clearpass?

If the EAP-TLS certificates are  issued by the same CA, you do not have to change the server certificate for the clients to work.  Your EAP-TLS clients would still have to have the issuing CA's certificate in their trust store, just like the EAP-PEAP clients.

 

If the EAP-TLS certificates are issued by a different CA, your clients would still have to trust the existing server certificate, but you would also have to upload the issuing CA's certificate into the ClearPass radius server's trust list under Certificates> Trust List.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: Multiple server ceritficates in Clearpass?

There can only be one! One Radius cert for your Clearpass cluster..

 

You say "It will be" - what does that mean?

That in the migration period you will have two separate CA's and end up with the new one only?

 

I'm assuming you are going from EAP-PEAP to EAP-TLS. That means you will have to update the GPO's for the clients to reflect this change.

 

Just for the baseline to get this to work (with security intact)

1. The clients will have to have the rootCA certificate of the Radius server certificate in their Trusted Root Auth cert-store

2. The clients will have to have a list of the radius server names they need to trust

3. The clients need to change their Auth method from EAP-PEAP to "Smartcard or other .."

 

If you are also changing RootCA then you would have to do this in several steps to ensure all clients are updated with the new RootCA in their Trusted Root certstore.

 

If so..

1. Update GPO's to push the new RootCA and most likely push client certs at the same time. This to prepare for the EAP-TLS transistion.

2. Update Clearpass Radius cert from the new RootCA using the same servername. Keeping the same name should make the clients keep trusting the Radius server, and since they trust the RootCA they will trust the certificate..

3. Update client GPO's to change 802.1x authentication to "Smartcard or other.."

 

.. I think ;)


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II

Re: Multiple server ceritficates in Clearpass?

To confirm - We're currently using EAP-PEAP for client connectivity, but looking to move to EAP-TLS.

 

The main issue we're up against, and hence the query, is that we'll be using a global policy for EAP-TLS connectivity on the client, and the configuration for Windows has the 'Connect to these servers' option enabled, which is referencing the FQDN of 2 x server certificates that we do not currently have installed on our Clearpass servers. On testing, this currently causing a certificates mismatch error, and requires manual connect to the SSID.

 

Obviously, we'd like to stick to using the global policy, so our current thinking is that we install the Radius certificates matching the FQDN in the policy, allowing clients to connect via EAP-TLS once the updated policy is applied to their machines.

 

Both the existing and the new certificates are issued by the same CA.

Guru Elite

Re: Multiple server ceritficates in Clearpass?

You should add a "connect to these servers" entry for your existing radius (ClearPass?) server for this to work.  "Connect to these servers" is supposed to limit what actual radius servers your clients can connect to, vs. just Validate which would allow your client to connect to anything in your client's trusted store.  

 

To test this, you should create an OU that has the new group policy settings and put your test client machines  in it, so that you don't affect production clients.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Multiple server ceritficates in Clearpass?

"To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in Connect to these servers , type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUS server names. "

https://msdn.microsoft.com/en-us/library/dd759247(v=ws.11).aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Multiple server ceritficates in Clearpass?

Why not just take one of the "old" certificates and use it on your ClearPass servers?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Multiple server ceritficates in Clearpass?

Why not just take one of the "old" certificates and use it on your ClearPass servers?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: