Security

We started a ClearPass PoC and configured a couple of different services: internal wireless, onboarding, and guest.  I came across some cert issues that I wasn't expecting.  For instance, we used our internal PKI to generate a cert for CPPM (and Guest) which clients validate when connecting to internal wireless.  This works just fine for laptops that have our root CA installed, but for iPhones and Androids they receive a cert prompt which can confuse users. And for guest, we had to switch to a 3rd party cert to keep guests from receiving cert prompts when reaching the guest captive portal.

 

In order to avoid the prompts in iOS and for guests, I think I may just use external certs.  I'm interested to know what others are doing.

You can use  external certs t for (1) Clearpass Policy Manager Radius Server (you re-use the same cert for https if the guest is on the same box (2) SSL certificate for the controller because it will do a redirect 

 

- your i-devices must trust them (specifically for onboarding)

- your macs must trust them (so that they don't see an untrusted message)

- your android devices will never trust them and will always give you a prompt

- your domain devices must trust them eithe rout the box or you can add it to a group policy to push the CA that issued the cert to your domain clients.

 

 

-------------------------------

 

If you only was doing radius authentication with CPPM, you can issue the radius certificate for CPPM from your own internal CA.

 

If you add Guest Services, you need a Public Trusted Cert for (1) CPPM and (2) SSL Public Trusted cert for the Controller that does the initial redirect.  That will keep guests from seeing an untrusted message.

 

 

Ahh good point.  I was thinking I'd need two certs for CPPM and guest.

 

Slightly off topic, but we're not using local termination right now.  While we're testing CPPM I think it would be a good time to consider it.  Do you have any advice regarding eap termination when using CPPM?

In ClearPass before 6.0, Guest (Amigopod) and CPPM (Radius Server) ran on entirely different servers.  That is why you needed two different certificates.

 

It is not necessary to do termination, no.

I'd like to add that my student guide from the Aruba Boot Camp explains that for server group fail through to work, AAA FastConnect (aka eap termination), must be enabled.  If that requirement still exists, then I think I would want to configure termination since I have a CPPM cluster.

So, 

 

Fail through is ONLY for if you have multiple authentication sources that have different user databases.  If you simply have multiple radius servers that point to the same database, it is inefficient, because upon a username or password failure, it will check all of them.

 

 It is less restrictive, if you have CPPM to put multiple authentication sources and make decisions based on that, than to use failthrough on the controller.

 

For example, if you have two domains, join CPPM to both of them and add both as authentication sources and CPPM will go through them sequentially.  That would eliminate the need to have termination, and put a server certificate on the controller.  As soon as you pass more than one controller for redundancy or capacity, this makes even more sense.  You would only need a certificate on CPPM for radius, vs. a server cert for each controller.

 

Last, but not least, if you have a CPPM cluster, and all your CPPM servers are pointing to the same backend database like AD, do NOT enable failthrough.  If you have all your CPPM servers in the server group, it will try the first one and it will only go onto the next one if the first one fails to respond.  If you enable failthrough, it will register negative hits on ALL your servers, and that is inefficient.  That will delay the client erroring out, which is essential for good performance.

 

 

 

I COMPLETELY misunderstood that feature.  I thought it was for redundancy should one RADIUS server fail, it would move to the next RADIUS server.  Thanks for clarifying.

Check it out.  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-614

 

Make sure you read the fine print...

I wanted to provide an update that I have gone with an external cert.  I'm disappointed to find that iOS is prompting to accept the cert, saying it's not valid.  I've talked to support and verified the trust chain with CPPM. The server, intermediate, and root CA in the chain all show valid.  Support seems to think there's a problem with the Intermediate CA not being trusted by Apple, which I suppose could be true because it's not on the list as a trusted root certificate (it's an intermediate cert).  I thought that was the point of the chain though; the intermediate cert would be trusted if it were issued by the root CA?  I'm at a loss and so is support to explain why iOS doesn't recognize the server cert as being valid.  Any one else experience similar issues with external certs and iOS?

This can happen if you don't install the complete cert chain including intermediate certs on CPPM.

 

iOS does not trust the intermediate certificate, only the root cert.  So the intermediate cert has to be provided somewhere in order for the client to build a complete chain up to the trusted root.

 

CPPM will accept an incomplete chain but this problem will ensue.  Make sure you copy and paste any necessary intermediate cert(s) when setting up the server certificate in CPPM.

CPPM shows the complete chain and every cert appears to be valid.

Support said that pcks12 certs could be imported, which is one of the formats I had. CPPM said it didn't recognize the cert, though so I tried the x509 version I had which imported just fine but didn't include the full chain. So I did something kind of janky and modified the cer file to include the intermediate and root cert. Surprisingly, the file imported and the chain appeared, but iOS doesn't consider the cert valid.

Do you know if .cer is the only format supported? Are there any of format supported that would include the full chain?

in principle you dont need fancy format, just copy paste the certificates in one file and import it, that should do it. if only iOS devices don't like it and windows / android devices do then it might be some sort of iOS thing.