Security

using ClearPass 6.2.x and wondering if i can somehow configure multiple server certificates (i.e. one for radius, one for https (guest) or different ones for radius) or if it is one server certificate used for everything?

Soon. :)

Just tried on the latest ovf, can't do it.  I'm trying to get 802.1x authentication EAP-TLS for multiple Active Directories, which requires the RADIUS server to have a signed certificate from each of the domain's SubCAs.  Any workarounds?  I've added and bound the CPPM to each of the ADs, but can only authenticate the one which the CPPM has a matching RADIUS server certificate.

You should be able to use the same RADIUS server certificate across multiple
domains and authentication methods.

Should be able to in what way?  EAP-TLS requires mutual authentication, so the CPPM's certificate has to chain to the client's trusted root CA.  Which is why EAP times out when I try to connect a client when a certificate from another domain is installed on the CPPM.

The RADIUS server certificate does not have to be issued from the same CA as
the client certificate used in EAP-TLS.

Ah, that's the ticket.

I saw your post on another board adressing this as well.

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-different-radius-server-cert-for-different-services/td-p/209025

So it should work if the server trusts the client's CA and the client trusts the CPPM's CA.  I'll have to figure out why my EAP is timing out when the CPPM has the client's CA in it's trusted store and the client has the CPPM's CA in it's trusted store, but it works when the client and CPPM have certificates issued from the same CA. 

Thanks

 

Please correct me if I'm wrong, but would security not be reduced when using public CAs, in cases where client certificates are not validated?

 

Let's say we want to prevent a domain-joined station from attempting to authenticate to a rogue AP which is broadcasting our SSID, but we are only using password authentication on the clients. Let's say the attacker uses a valid server ceritifcate provided by the same CA as the one in our trusted list.

 

Would the client not simply connect to the rogue AP if it's nearby, even with certificate validation enabled, allowing the attacker to sniff the NetNTLM hash, potentially allowing the original password to be cracked offline given enough resources?

It really has nothing to do with the cert being publicly signed or privately signed. It’s the inherent insecure nature of using legacy EAP methods like PEAP. Only EAP-TLS should be used these days.

Thanks for the reply, Tim.

 

I am aware that EAP-TLS authentication is generally a more secure option. But nonetheless, EAP-PEAP is still used frequently.

Authentication based on certificates is not free from security risks either, all things considered.

 

So, in the event that the less secure EAP-PEAP is used, you would expect security to be decreased when using public CAs to sign the server certificate. Or am I wrong?

There is no change in security for PEAP based who issues the EAP server certificate.

While PEAP is popular, it is not standardized and being popular doesn’t mean it should be used. It should be avoided at all costs outside of a completely managed environment, unless credential security is not a concern for your organization.