Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Use internal PKI or external certs?

We started a ClearPass PoC and configured a couple of different services: internal wireless, onboarding, and guest.  I came across some cert issues that I wasn't expecting.  For instance, we used our internal PKI to generate a cert for CPPM (and Guest) which clients validate when connecting to internal wireless.  This works just fine for laptops that have our root CA installed, but for iPhones and Androids they receive a cert prompt which can confuse users. And for guest, we had to switch to a 3rd party cert to keep guests from receiving cert prompts when reaching the guest captive portal.

 

In order to avoid the prompts in iOS and for guests, I think I may just use external certs.  I'm interested to know what others are doing.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Use internal PKI or external certs?

You can use  external certs t for (1) Clearpass Policy Manager Radius Server (you re-use the same cert for https if the guest is on the same box (2) SSL certificate for the controller because it will do a redirect 

 

- your i-devices must trust them (specifically for onboarding)

- your macs must trust them (so that they don't see an untrusted message)

- your android devices will never trust them and will always give you a prompt

- your domain devices must trust them eithe rout the box or you can add it to a group policy to push the CA that issued the cert to your domain clients.

 

 

-------------------------------

 

If you only was doing radius authentication with CPPM, you can issue the radius certificate for CPPM from your own internal CA.

 

If you add Guest Services, you need a Public Trusted Cert for (1) CPPM and (2) SSL Public Trusted cert for the Controller that does the initial redirect.  That will keep guests from seeing an untrusted message.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Use internal PKI or external certs?

Ahh good point.  I was thinking I'd need two certs for CPPM and guest.

 

Slightly off topic, but we're not using local termination right now.  While we're testing CPPM I think it would be a good time to consider it.  Do you have any advice regarding eap termination when using CPPM?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Use internal PKI or external certs?

[ Edited ]

In ClearPass before 6.0, Guest (Amigopod) and CPPM (Radius Server) ran on entirely different servers.  That is why you needed two different certificates.

 

It is not necessary to do termination, no.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Use internal PKI or external certs?

I'd like to add that my student guide from the Aruba Boot Camp explains that for server group fail through to work, AAA FastConnect (aka eap termination), must be enabled.  If that requirement still exists, then I think I would want to configure termination since I have a CPPM cluster.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Use internal PKI or external certs?

[ Edited ]

So, 

 

Fail through is ONLY for if you have multiple authentication sources that have different user databases.  If you simply have multiple radius servers that point to the same database, it is inefficient, because upon a username or password failure, it will check all of them.

 

 It is less restrictive, if you have CPPM to put multiple authentication sources and make decisions based on that, than to use failthrough on the controller.

 

For example, if you have two domains, join CPPM to both of them and add both as authentication sources and CPPM will go through them sequentially.  That would eliminate the need to have termination, and put a server certificate on the controller.  As soon as you pass more than one controller for redundancy or capacity, this makes even more sense.  You would only need a certificate on CPPM for radius, vs. a server cert for each controller.

 

Last, but not least, if you have a CPPM cluster, and all your CPPM servers are pointing to the same backend database like AD, do NOT enable failthrough.  If you have all your CPPM servers in the server group, it will try the first one and it will only go onto the next one if the first one fails to respond.  If you enable failthrough, it will register negative hits on ALL your servers, and that is inefficient.  That will delay the client erroring out, which is essential for good performance.

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Use internal PKI or external certs?

I COMPLETELY misunderstood that feature.  I thought it was for redundancy should one RADIUS server fail, it would move to the next RADIUS server.  Thanks for clarifying.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Use internal PKI or external certs?

Check it out.  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-614

 

Make sure you read the fine print...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Use internal PKI or external certs?

I wanted to provide an update that I have gone with an external cert.  I'm disappointed to find that iOS is prompting to accept the cert, saying it's not valid.  I've talked to support and verified the trust chain with CPPM. The server, intermediate, and root CA in the chain all show valid.  Support seems to think there's a problem with the Intermediate CA not being trusted by Apple, which I suppose could be true because it's not on the list as a trusted root certificate (it's an intermediate cert).  I thought that was the point of the chain though; the intermediate cert would be trusted if it were issued by the root CA?  I'm at a loss and so is support to explain why iOS doesn't recognize the server cert as being valid.  Any one else experience similar issues with external certs and iOS?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: Use internal PKI or external certs?

This can happen if you don't install the complete cert chain including intermediate certs on CPPM.

 

iOS does not trust the intermediate certificate, only the root cert.  So the intermediate cert has to be provided somewhere in order for the client to build a complete chain up to the trusted root.

 

CPPM will accept an incomplete chain but this problem will ensue.  Make sure you copy and paste any necessary intermediate cert(s) when setting up the server certificate in CPPM.

Search Airheads
Showing results for 
Search instead for 
Did you mean: