Security

I'm planning on importing a signed certificate from our intermediate CA onto a subscriber server as a test to verify functionality.  I have a couple questions about doing this that I haven't been able to find an explicit answer on.  I have read the Certificate 101 document, scanning for bits that are relevant and it sounds as if my concerns are unfounded :)

 

1. Is the RADIUS server certificate used for any cluster authentication? If I change our one subscriber server to use a new internal CA signed cert, will it break cluster auth?

2. Is the RADIUS server certificate used for authentication between an Aruba wireless controller and ClearPass? If I change out this subscriber's certificate, will it affect users who are attempting RADIUS authentication from the controller? (eg. a guest wireless network that prompts the user to accept an AUP page) Or is this the purpose of the HTTPS certificate?

 

I know, very newbish questions.  Any help in clarification would be awesome!

1) No (assuming the EAP server cert is not also used for HTTPS)
2) No certificates are used between the controller and ClearPass

I was successfully able to import a RADIUS certificate to one of my subscribers, point an 802.1x enabled switch to that server, and authenticate against it with an internal PKI signed machine cert.  My only concern is in the ClearPass Onboarding certificate area, it notes the following:

 

"The RADIUS server certificate need not be a certificate issued by a trusted commercial certificate authority. However if you are running ClearPass as a cluster, each server in the cluster must use a certificate signed by the same root certificate authority."

 

My subscriber hasn't dropped, so it appears to be fine.  I'm going to update the others in quick succession to use the same root CA, hopefully tomorrow.  Is the above quote relevant at all, or is there a timeout where a subscriber may drop if it doesn't have a cert signed by the same CA?

The RADIUS certificate is not used in any way for the cluster communication. So it is expected that your clustering is unaffected.

 

About the RADIUS certificates and same root: If you have a ClearPass cluster on every node you CAN have a different RADIUS certificate. As soon as a client roams, or moves from a location that uses one ClearPass server to a location that uses a different RADIUS server, the client will see a different RADIUS server certificate. The referred paragraph explains that this is likely to work for the client as long as the root CA does not change. To avoid the complexity, most customers put the same RADIUS certificate on every ClearPass node in a cluster. In that case, it doesn't matter on which server the authentication request lands, it's the same cert anywhere and the client doesn't even notice that it's communicating with another server.

I have found that replacing the RADIUS cert does not cause any cluster issues, as noted here.  Thank you all for your feedback and help in understanding this better!