06-27-2016 12:16 AM
Our clearpass radius certificate is expiring. The certificate comes from a windows PKI in the domain for the radius service, but web one is public.
The installation started as a domain devices only, and then developed to BYOD. So now all devices that provision for the onboard have to trust the internal PKI since that is where the radius cert comes from. Authentication is EAP-TLS
I tested replacing it with a new one this weekend, and it went fairly well. Not only the radius certificate is new, also the issuing CA (subordinate CA) certificate have been renewed for longer expiry.
Andriod clients connected fine, domain PC's connected without issues, and BYOD windows devices also connected fine.
The Iphones/OIS devices didn't want to connect, but came up wth a warning about a new certificate when you connected manually, and by pressing accept on the new certificate everything was fine.
However, the MAC computers did not like this at all.
I simply had to remove the installed profile, and reprovision them.
I only had one test device available, and as such I am not too sure it is representative of how it will be for all clients, but I am basically asking if anyone have any experience on doing this.
I have a feeling I am doing something wrong if the MaC computers have to reprovision due to a replaced radius certificate.