04-12-2016 01:51 PM
I have a Clearpass Cluser and I am seeing this error message after chaning my RADIUS certificate to a self signed one.
I am using the same self signed certificate on each node.
What problems does this cause, and why can I not use self signed certs for my radius server?
04-12-2016 01:56 PM
We should have a larger conversation about this.
1) Are you using Onboard?
2) Are you authenticating both corporate and non-corporate controlled devices?
3) Are you pushing network profiles down to devices?
04-12-2016 02:02 PM
Are you using Onboard?
I am using onboard for non-OSX devices (Android, iOS, ChromeOS, Linux)
I am also using SCEP enrollment via JAMF for Macs. (These work fine with the self signed cert)
Are you authenticating both corporate and non-corporate controlled devices
yes, managed macs and unmaged personal mobile devices
Are you pushing network profiles down to devices?
yes, via jamf and onboard
04-12-2016 02:04 PM
For the Onboarded devices, are you doing single or dual SSID Onboard?
04-12-2016 02:10 PM
cert on all your boxes.
04-12-2016 02:13 PM
So that seems to be the prefered solution, but why? First point doesnt apply as im using a trusted https cert. Second seems not to be true on my onboarded iOS 8.1 device.
I see this in the certificatesd technote:
1. The first is where the iOS device won’t Onboard if the web server certificate is not from a trusted source.
2.The second one is where the Onboard process has to ensure the server certificate installed on the server for 802.1x termination is also provisioned to the device to complete the trust chain.
04-12-2016 02:18 PM
I'm not sure what you're asking. If you choose to use a private RADIUS server cert, it should be signed by the Onboard CA.
04-12-2016 02:38 PM
ah OK I'm using a self signed cert (no chain) for my RADIUS cert. The same self signed cert is on both cluster members.
I believe you're recommending using a private cert signed by a CP CA. This would have a chain (radius cert CA -> radius cert CA signing -> radius cert)
Why is this chain important? Do I need to use a private cert, or can I just use the self signed cert?