Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Self signed ClearPass RADIUS server certificates can not be used in a cluster.

This thread has been viewed 4 times

  • 1.  Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    Posted Apr 12, 2016 04:52 PM

    I have a Clearpass Cluser and I am seeing this error message after chaning my RADIUS certificate to a self signed one.

     

    I am using the same self signed certificate on each node.

     

    What problems does this cause, and why can I not use self signed certs for my radius server?

     

     



  • 2.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    EMPLOYEE
    Posted Apr 12, 2016 04:57 PM

    We should have a larger conversation about this.

     

    1) Are you using Onboard?

    2) Are you authenticating both corporate and non-corporate controlled devices?

    3) Are you pushing network profiles down to devices?



  • 3.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    Posted Apr 12, 2016 05:02 PM

    Are you using Onboard?

    I am using onboard for non-OSX devices (Android, iOS, ChromeOS, Linux)

    I am also using SCEP enrollment via JAMF for Macs. (These work fine with the self signed cert)

     

    Are you authenticating both corporate and non-corporate controlled devices 

    yes, managed macs and unmaged personal mobile devices

     

    Are you pushing network profiles down to devices?

    yes, via jamf and onboard

     



  • 4.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    EMPLOYEE
    Posted Apr 12, 2016 05:04 PM

    For the Onboarded devices, are you doing single or dual SSID Onboard?



  • 5.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    Posted Apr 12, 2016 05:06 PM

    Dual SSID - they connect to our "guest" psk network which can reach CP for provisioning,.



  • 6.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    EMPLOYEE
    Posted Apr 12, 2016 05:10 PM
    OK, Create a CSR and sign it using your Onboard CA. You can use the same
    cert on all your boxes.


  • 7.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    Posted Apr 12, 2016 05:14 PM

    So that seems to be the prefered solution, but why? First point doesnt apply as im using a trusted https cert. Second seems not to be true on my onboarded iOS 8.1 device.

     

    I see this in the certificatesd technote:

     

    1. The first is where the iOS device won’t Onboard if the web server certificate is not from a trusted source.

     

    2.The second one is where the Onboard process has to ensure the server certificate installed on the server for 802.1x termination is also provisioned to the device to complete the trust chain.



  • 8.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    EMPLOYEE
    Posted Apr 12, 2016 05:18 PM

    I'm not sure what you're asking. If you choose to use a private RADIUS server cert, it should be signed by the Onboard CA.



  • 9.  RE: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

    Posted Apr 12, 2016 05:38 PM

    ah OK I'm using a self signed cert (no chain) for my RADIUS cert. The same self signed cert is on both cluster members.

     

    I believe you're recommending using a private cert signed by a CP CA. This would have a chain (radius cert CA -> radius cert CA signing -> radius cert)

     

    Why is this chain important? Do I need to use a private cert, or can I just use the self signed cert?