Security

Hi!

We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done? 
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error. 
What else this required and is someone succeeded to do this ?

------------------------------
Petri Kemppainen
------------------------------

You can import MULTIPLE RADIUS certificates into CPPM, they can be imported as a SERVICE type cert and then used in seperate services, so in short, use a single service-policy per domain tied to a seperate RADIUS service-cert. On the authentication tab in the service-policy at the bottom you can select the service-cert to be used in this service-policy.

------------------------------
Danny Jump
"Passionate about CPPM"
------------------------------

Original Message:
Sent: Dec 09, 2020 09:06 AM
From: Petri Kemppainen
Subject: Clearpass multi domain with EAP-TLS

Hi!

We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done? 
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error. 
What else this required and is someone succeeded to do this ?

------------------------------
Petri Kemppainen
------------------------------

The EAP server certificate and client certificates do not need to be issued from the same CA.  Configure all of the machines to trust the single global EAP server certificate via GPO or MDM.

 I would not recommend using service certificates as it can get complicated trying to match realms and domains.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Dec 09, 2020 09:06 AM
From: Petri Kemppainen
Subject: Clearpass multi domain with EAP-TLS

Hi!

We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done? 
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error. 
What else this required and is someone succeeded to do this ?

------------------------------
Petri Kemppainen
------------------------------

The unknown_ca error does that have 'from server' or 'from client' in it? I assume it is from client.

What I would do:
- (1) Generate the RADIUS Server certificate to be installed on ClearPass from either one of your domain CAs, or even from a different CA. As mentioned, the server certificate and client certificate don't need to be from the same CA, I'd even recommend having them from separate CAs in many cases to avoid confusion.
- Import the root for the certificate issued in the previous step (1) into ALL of your domains and have that added to all of the client's Trusted Root Authorities certificate stores. As mentioned Group Policies or MDM are the obvious ways to do that.
- Configure the clients in all your domain to trust the RADIUS server (select Root CA and radius server name) the same, in first step created, certificate. Again, GPO/MDM are the way to do that.
- Import the root CAs for domain1, domain2, domain3 into the ClearPass Trust List and make sure the certificates are enabled for 'EAP'. You mentioned you already did this.

For unmanaged clients, you can use ClearPass Onboard to do the same configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Dec 09, 2020 09:06 AM
From: Petri Kemppainen
Subject: Clearpass multi domain with EAP-TLS

Hi!

We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done? 
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error. 
What else this required and is someone succeeded to do this ?

------------------------------
Petri Kemppainen
------------------------------

I got this work this way. My problem was wrong client root CA in clearpass. 

I export from client computer all domain involved certificates to clearpass trust list and then it works. And import to client computer clearpass radius ca root certificate.

------------------------------
Petri Kemppainen
------------------------------

Original Message:
Sent: Dec 10, 2020 04:58 AM
From: Herman Robers
Subject: Clearpass multi domain with EAP-TLS

The unknown_ca error does that have 'from server' or 'from client' in it? I assume it is from client.

What I would do:
- (1) Generate the RADIUS Server certificate to be installed on ClearPass from either one of your domain CAs, or even from a different CA. As mentioned, the server certificate and client certificate don't need to be from the same CA, I'd even recommend having them from separate CAs in many cases to avoid confusion.
- Import the root for the certificate issued in the previous step (1) into ALL of your domains and have that added to all of the client's Trusted Root Authorities certificate stores. As mentioned Group Policies or MDM are the obvious ways to do that.
- Configure the clients in all your domain to trust the RADIUS server (select Root CA and radius server name) the same, in first step created, certificate. Again, GPO/MDM are the way to do that.
- Import the root CAs for domain1, domain2, domain3 into the ClearPass Trust List and make sure the certificates are enabled for 'EAP'. You mentioned you already did this.

For unmanaged clients, you can use ClearPass Onboard to do the same configuration.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 09, 2020 09:06 AM
From: Petri Kemppainen
Subject: Clearpass multi domain with EAP-TLS

Hi!

We have 3 different domains and each of them have own ca. Anyone have this kind of environment and know hoe this can be done? 
Only one radius certificate is possible import to clearpass. Clearpass is in domain 1 and client computer is domain 2. Domain 1 root and intermediate certificates are imported to client computer trust store and domain 2 certificates are imported to clearpass trus store. Logs says that unknown_ca. TLS error, Ceriticate validation error. 
What else this required and is someone succeeded to do this ?

------------------------------
Petri Kemppainen
------------------------------