Security

Reply
Contributor I
Posts: 21
Registered: ‎02-26-2016

Self signed ClearPass RADIUS server certificates can not be used in a cluster.

I have a Clearpass Cluser and I am seeing this error message after chaning my RADIUS certificate to a self signed one.

 

I am using the same self signed certificate on each node.

 

What problems does this cause, and why can I not use self signed certs for my radius server?

 

 

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

We should have a larger conversation about this.

 

1) Are you using Onboard?

2) Are you authenticating both corporate and non-corporate controlled devices?

3) Are you pushing network profiles down to devices?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 21
Registered: ‎02-26-2016

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

Are you using Onboard?

I am using onboard for non-OSX devices (Android, iOS, ChromeOS, Linux)

I am also using SCEP enrollment via JAMF for Macs. (These work fine with the self signed cert)

 

Are you authenticating both corporate and non-corporate controlled devices 

yes, managed macs and unmaged personal mobile devices

 

Are you pushing network profiles down to devices?

yes, via jamf and onboard

 

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

For the Onboarded devices, are you doing single or dual SSID Onboard?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 21
Registered: ‎02-26-2016

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

Dual SSID - they connect to our "guest" psk network which can reach CP for provisioning,.

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

OK, Create a CSR and sign it using your Onboard CA. You can use the same
cert on all your boxes.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 21
Registered: ‎02-26-2016

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

So that seems to be the prefered solution, but why? First point doesnt apply as im using a trusted https cert. Second seems not to be true on my onboarded iOS 8.1 device.

 

I see this in the certificatesd technote:

 

1. The first is where the iOS device won’t Onboard if the web server certificate is not from a trusted source.

 

2.The second one is where the Onboard process has to ensure the server certificate installed on the server for 802.1x termination is also provisioned to the device to complete the trust chain.

Guru Elite
Posts: 8,329
Registered: ‎09-08-2010

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

I'm not sure what you're asking. If you choose to use a private RADIUS server cert, it should be signed by the Onboard CA.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 21
Registered: ‎02-26-2016

Re: Self signed ClearPass RADIUS server certificates can not be used in a cluster.

ah OK I'm using a self signed cert (no chain) for my RADIUS cert. The same self signed cert is on both cluster members.

 

I believe you're recommending using a private cert signed by a CP CA. This would have a chain (radius cert CA -> radius cert CA signing -> radius cert)

 

Why is this chain important? Do I need to use a private cert, or can I just use the self signed cert?

Search Airheads
Showing results for 
Search instead for 
Did you mean: