Security

Reply
MVP
Posts: 1,392
Registered: ‎11-30-2011

multiple server certificates on ClearPass

using ClearPass 6.2.x and wondering if i can somehow configure multiple server certificates (i.e. one for radius, one for https (guest) or different ones for radius) or if it is one server certificate used for everything?

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: multiple server certificates on ClearPass

Soon. :)
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 6
Registered: ‎08-11-2016

Re: multiple server certificates on ClearPass

Just tried on the latest ovf, can't do it.  I'm trying to get 802.1x authentication EAP-TLS for multiple Active Directories, which requires the RADIUS server to have a signed certificate from each of the domain's SubCAs.  Any workarounds?  I've added and bound the CPPM to each of the ADs, but can only authenticate the one which the CPPM has a matching RADIUS server certificate.

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: multiple server certificates on ClearPass

You should be able to use the same RADIUS server certificate across multiple
domains and authentication methods.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 6
Registered: ‎08-11-2016

Re: multiple server certificates on ClearPass

Should be able to in what way?  EAP-TLS requires mutual authentication, so the CPPM's certificate has to chain to the client's trusted root CA.  Which is why EAP times out when I try to connect a client when a certificate from another domain is installed on the CPPM.

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: multiple server certificates on ClearPass

The RADIUS server certificate does not have to be issued from the same CA as
the client certificate used in EAP-TLS.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 6
Registered: ‎08-11-2016

Re: multiple server certificates on ClearPass

Ah, that's the ticket.

I saw your post on another board adressing this as well.

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/CPPM-different-radius-server-cert-for-different-services/td-p/209025

So it should work if the server trusts the client's CA and the client trusts the CPPM's CA.  I'll have to figure out why my EAP is timing out when the CPPM has the client's CA in it's trusted store and the client has the CPPM's CA in it's trusted store, but it works when the client and CPPM have certificates issued from the same CA. 

Thanks

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: