last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS Server Certificate - Clearpass - EAP-TLS

Jump to Best Answer
This thread has been viewed 31 times
  • 1.  RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 26, 2021 07:06 PM
    Hi all,
    We are using Clearpass as our RADIUS server and are authenticating Wifi using 802.1x / EAP-TLS.  We are using Onboard to push out the user/root cert and using Onboard as our CA, user Enrolls using a temporary Open SSID and reaches Onboard page and uses their AD creds to enroll.  We will be supporting many different customer AD domains so we prefer to use Onboard as our CA and device auth versus Active Directory.

    We created our RADIUS cert using Onboard's CA.  We did this due to Clearpass' native cert generation having a max validity period of 2000 days which is too short for our use, so we imported a cert from Onboard for RADIUS which permits a much longer validity period.  We are using a wildcard cert for our HTTPS (for now, in our lab) and will purchase a non-wildcard for production.

    Everything is working fine, Apple Devices and Windows devices enroll just fine with Onboard, EAP-TLS is working fine.

    We were told by our Aruba account rep / sales engineer that we should not use a self-signed cert for RADIUS and we need to purchase a cert from a public CA.  The recommendations and information that I am reading online conflicts with this, including Herman Rober video series saying self-signed is recommended.

    Not sure if what they meant is using a public cert if we use PEAP-MSCHAPv2, to lessen the chance of a fake RADIUS server doing a man-in-the-middle attack on a badly configured supplicant (trusted servers not set)

    We are using EAP-TLS and delivering the certs with Onboard (Onboard CA root, RADIUS, User), is that safe or does Aruba now recommend using a publicly purchased cert for RADIUS cert for EAP-TLS?


    Kevin Grivois

  • 2.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS
    Best Answer

    Posted May 27, 2021 03:53 AM

    We use Public Cert for Radius in two cases:
    - we have outside users who authenticate via PEAP
    - we deploy onboard as single SSID (PEAP for redirect user to onboard page, EAP-TLS for access to network).

    If you use Open SSID with captive portal for Onboard, you don't need public cert, because root CA is imported in the Onboarding process.


    Piotr Filip


  • 3.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 27, 2021 12:29 PM
    Thanks Piotr, that's exactly what I needed to know.

    Kevin Grivois

  • 4.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 28, 2021 03:40 AM
    One concern about using dual SSID Onboarding: When on boarding a device using randomised MAC the Onboard process records this 'enrolment' SSID MAC address in the certificate, this is different to the Onboard's SSID MAC address. In general this is not a problem for the TLS authentication. However, if you are using Onboard cleanup of Inactivity Certificates then problems are likely to occur. As far as I understand this cleanup tracks based on the recorded MAC address. As this MAC address is not used the active Onboard devices will be affected.

    Derin Mellor

  • 5.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 28, 2021 12:28 PM
    We won't be using the  Onboard cleanup of inactive certs so we should be good on that one.

    Kevin Grivois

  • 6.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 28, 2021 02:16 PM
    I did work out an SQL query (using the appexternal interface) to find the certicates that had not been used for X days. It would then be a trivial matter to build a script with a bit of RESTful API to delete those unused certificates...

    Regards Derin

  • 7.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 27, 2021 02:45 PM
    Self-signed and organizationally-controlled / private PKI are not the same thing.

    Self-signed certificates should never be used for an EAP server certificate.

    Publicly CA-signed certificates can be used for EAP server certificates but it is not recommended.

    An EAP server certificate issued from an organizationally-controlled PKI (could be CPPM Onboard, ADCS or some other system in your environment) is the recommendation for all deployment models.

    Also, single SSID Onboard is not recommended and should never be used.

    Tim C

  • 8.  RE: RADIUS Server Certificate - Clearpass - EAP-TLS

    Posted May 28, 2021 12:26 PM
    I think we are on the right track then, just got the terminology mixed up, our PKI will be CPPM Onboard so it will be organizationally controlled.  That is the current deployment model we are testing.  We will stick with Dual SSID (one for Onboard, one for the 802.1x EAP-TLS wifi).

    Thank you for the clarification!

    Kevin Grivois