In ClearPass training, I was told that I should use a public cert for HTTPS and a certificate from our internal CA for RADIUS which is what we currently have.
I have set up 802.1X EAP-PEAP so that users with non-corporate assets can connect using their AD credentials.
Some clients are able to connect after checking the certificate warning, but other clients always fail authentication. Those clients will never prompt to accept the non-trusted certificate even though the box to “Do not prompt” is not checked in the wireless settings. The only way I can get them to connect is to uncheck the “Validate server certificate” option which I do not want. It also means that the user would have to manually create the wireless profile rather than just clicking the wireless network to join.
My questions are:
1. Is there another way to make this work?
2. Is there any drawback to using a publicly trusted certificate for the RADIUS certificate over one from our internal CA other than the cost? (Note that we also do EAP-TLS with our corporate assets)
3. Can I use a wildcard certificate or do I need to purchase a SAN certificate that includes all of our my Clearpass servers?