Security

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

Hi,

Replacing a self-signed certificate (hope the cert is not signed by internal PKI, since you have mentioned "self assigned CA") with public CA would not cause any issue, except the clients prompting to accept the new cert after import.
And to answer your question about, different certs for different networks. It is possible, you can import the Radius/new cert as a service cert in ClearPass and map it to the authentication service directly. In fact, you can import the Public CA signed cert as a service cert and test it on the EAP-TLS service, and then replace the self-signed cert with the same cert globally.

------------------------------
Saravanan Rajagopal
------------------------------

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

When changing your CA (either for the RADIUS server certificate or the Client certificates), I would check with the ClearPass Certificates Technote, and your Aruba partner or Aruba support if you match best practices. The information you provided is incomplete to make a proper assessment, and the devil is in the details.

In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely if you are using Guest/Onboard. The Technote will explain why this is and also exceptions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

Hi Herman.

Im i little curious about you certificate recommendation about the radius certificate, i can say we use a public certificate for both the webservice and radius service ( 2 diffenrent certificates) the reason we use a public certificate for the radius is we are using clearpass eap-tls against 3 domains, so with the public cert we don't need to import a root cert on all our domain computers.

Is that a problem? it works fine and when we change the cert theres no warnings cause its the same root/ca

Morten

------------------------------
Morten Johannsen
------------------------------

Original Message:
Sent: Jan 07, 2021 06:26 AM
From: Herman Robers
Subject: Public CA and EAP-TLS Users

When changing your CA (either for the RADIUS server certificate or the Client certificates), I would check with the ClearPass Certificates Technote, and your Aruba partner or Aruba support if you match best practices. The information you provided is incomplete to make a proper assessment, and the devil is in the details.

In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely if you are using Guest/Onboard. The Technote will explain why this is and also exceptions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

@Herman Robers
Curious about that too Herman.

I realize the RADIUS cert most often is supplied by internal PKI, but that is more because of ease of use than anything else, right?
Say for example when onboarding; then a publicly signed cert seems more logical to me.

------------------------------
Koen V
------------------------------

Original Message:
Sent: Jan 08, 2021 02:36 AM
From: Morten Johannsen
Subject: Public CA and EAP-TLS Users

Hi Herman.

Im i little curious about you certificate recommendation about the radius certificate, i can say we use a public certificate for both the webservice and radius service ( 2 diffenrent certificates) the reason we use a public certificate for the radius is we are using clearpass eap-tls against 3 domains, so with the public cert we don't need to import a root cert on all our domain computers.

Is that a problem? it works fine and when we change the cert theres no warnings cause its the same root/ca

Morten

------------------------------
Morten Johannsen

Original Message:
Sent: Jan 07, 2021 06:26 AM
From: Herman Robers
Subject: Public CA and EAP-TLS Users

When changing your CA (either for the RADIUS server certificate or the Client certificates), I would check with the ClearPass Certificates Technote, and your Aruba partner or Aruba support if you match best practices. The information you provided is incomplete to make a proper assessment, and the devil is in the details.

In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely if you are using Guest/Onboard. The Technote will explain why this is and also exceptions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

Let me start by mentioning that using a public cert for EAP will work, in most cases it doesn't make sense and adds complexity. Here is my personal view on this matter.

One important property of EAP certificates that is different from HTTPS server certificates is that for 802.1X (wired/wireless) there is no way to validate the server certificate. Here is a post from some time ago where I explain that. With HTTPS you can bind the domain name (guest.yourcompany.com) to the certificate, but with your SSID (corp, guest) that is not possible. So you will need to arrange your trust anyway by selecting the authoritative CA and radius server name in the supplicant. That means you need control/configuration on the device anyway, and in the same step, you can deploy the trusted RADIUS root CA.

Then, a private CA has a few benefits over a public CA:
- You can have longer run-times for your RADIUS certificate like few years to avoid certificate renewals. With a public CA, you are now bound to a maximum validity of one year. That means you have to renew your RADIUS certificate every 12 months at least, with all the risks involved.
- One of the bigger risks that happen in practice is that your public CA switches to another root, in which case you will need to touch all of your clients in advance and change the trust for the 802.1X server validation. With a private CA, it's yourself that can decide when to abandon your root CA which makes you less dependent.

In the past, one of the exceptions was networks with a lot of BYOD devices, like eduroam (used in higher education worldwide). If you check their current policy, you can see there are similar considerations and there is no strong push to a public CA, they more consider the capability of your organization to run a private CA.

With your situation, with clients in 3 different domains, what you can simply do is have the radius certificate signed by any of the existing private CAs, or even create a 4th one, and have that root CA pushed to all of your clients in each of the domains. For Active Directory, you can do that simply with a GPO. For other managed devices, use a device management tool. For unmanaged devices, you could use Onboard. And if you can't, remember that there is little difference between a public certificate that is trusted but cannot be validated or a private certificate. The server validation will be the same for all your clients.

For HTTPS certificates, there is no discussion for me. Those should likely come from a public CA.

As always, there may be reasons to make another discussion, but to repeat: In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely, if you are using Guest/Onboard.

Hope this helps, and I'm open to hearing other opinions to bring balance to the discussion as this is my personal opinion that worked pretty well in the past, and also is what is reflected in some of the best practice-documents and training material available from Aruba.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 08, 2021 02:36 AM
From: Morten Johannsen
Subject: Public CA and EAP-TLS Users

Hi Herman.

Im i little curious about you certificate recommendation about the radius certificate, i can say we use a public certificate for both the webservice and radius service ( 2 diffenrent certificates) the reason we use a public certificate for the radius is we are using clearpass eap-tls against 3 domains, so with the public cert we don't need to import a root cert on all our domain computers.

Is that a problem? it works fine and when we change the cert theres no warnings cause its the same root/ca

Morten

------------------------------
Morten Johannsen

Original Message:
Sent: Jan 07, 2021 06:26 AM
From: Herman Robers
Subject: Public CA and EAP-TLS Users

When changing your CA (either for the RADIUS server certificate or the Client certificates), I would check with the ClearPass Certificates Technote, and your Aruba partner or Aruba support if you match best practices. The information you provided is incomplete to make a proper assessment, and the devil is in the details.

In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely if you are using Guest/Onboard. The Technote will explain why this is and also exceptions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?

Hi Herman

Thx for the clarification, i knew all that, and your right about its getting more tricky now the public cert is down to 1 year, when i startede to use public they where 3 years and the last 1 is 2 years, but i would prefere using a none domain pki cert to do the validation, mayby even clearpass as ca so you don't have domain 1's domain cert on other domain for security reasons.
i might change to clearpass as the ca for our radius cert, in the future.

Morten

------------------------------
Morten Johannsen
------------------------------

Original Message:
Sent: Jan 08, 2021 05:02 AM
From: Herman Robers
Subject: Public CA and EAP-TLS Users

Let me start by mentioning that using a public cert for EAP will work, in most cases it doesn't make sense and adds complexity. Here is my personal view on this matter.

One important property of EAP certificates that is different from HTTPS server certificates is that for 802.1X (wired/wireless) there is no way to validate the server certificate. Here is a post from some time ago where I explain that. With HTTPS you can bind the domain name (guest.yourcompany.com) to the certificate, but with your SSID (corp, guest) that is not possible. So you will need to arrange your trust anyway by selecting the authoritative CA and radius server name in the supplicant. That means you need control/configuration on the device anyway, and in the same step, you can deploy the trusted RADIUS root CA.

Then, a private CA has a few benefits over a public CA:
- You can have longer run-times for your RADIUS certificate like few years to avoid certificate renewals. With a public CA, you are now bound to a maximum validity of one year. That means you have to renew your RADIUS certificate every 12 months at least, with all the risks involved.
- One of the bigger risks that happen in practice is that your public CA switches to another root, in which case you will need to touch all of your clients in advance and change the trust for the 802.1X server validation. With a private CA, it's yourself that can decide when to abandon your root CA which makes you less dependent.

In the past, one of the exceptions was networks with a lot of BYOD devices, like eduroam (used in higher education worldwide). If you check their current policy, you can see there are similar considerations and there is no strong push to a public CA, they more consider the capability of your organization to run a private CA.

With your situation, with clients in 3 different domains, what you can simply do is have the radius certificate signed by any of the existing private CAs, or even create a 4th one, and have that root CA pushed to all of your clients in each of the domains. For Active Directory, you can do that simply with a GPO. For other managed devices, use a device management tool. For unmanaged devices, you could use Onboard. And if you can't, remember that there is little difference between a public certificate that is trusted but cannot be validated or a private certificate. The server validation will be the same for all your clients.

For HTTPS certificates, there is no discussion for me. Those should likely come from a public CA.

As always, there may be reasons to make another discussion, but to repeat: In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely, if you are using Guest/Onboard.

Hope this helps, and I'm open to hearing other opinions to bring balance to the discussion as this is my personal opinion that worked pretty well in the past, and also is what is reflected in some of the best practice-documents and training material available from Aruba.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 08, 2021 02:36 AM
From: Morten Johannsen
Subject: Public CA and EAP-TLS Users

Hi Herman.

Im i little curious about you certificate recommendation about the radius certificate, i can say we use a public certificate for both the webservice and radius service ( 2 diffenrent certificates) the reason we use a public certificate for the radius is we are using clearpass eap-tls against 3 domains, so with the public cert we don't need to import a root cert on all our domain computers.

Is that a problem? it works fine and when we change the cert theres no warnings cause its the same root/ca

Morten

------------------------------
Morten Johannsen

Original Message:
Sent: Jan 07, 2021 06:26 AM
From: Herman Robers
Subject: Public CA and EAP-TLS Users

When changing your CA (either for the RADIUS server certificate or the Client certificates), I would check with the ClearPass Certificates Technote, and your Aruba partner or Aruba support if you match best practices. The information you provided is incomplete to make a proper assessment, and the devil is in the details.

In general, for RADIUS you should use a private CA for the client certificates and a private CA for the RADIUS certificates which may or may not be the same CA. For the HTTPS server certificate use a public CA in almost all circumstances and definitely if you are using Guest/Onboard. The Technote will explain why this is and also exceptions.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Jan 06, 2021 02:37 PM
From: Chris B
Subject: Public CA and EAP-TLS Users

We have a self assigned CA on our CPPM for RADIUS with EAP-TLS for one SSID and WPA2 for a BYOD network. We need to update our certificate with a public CA can you use different certs for different networks and if we changed this for the EAP-TLS one how will this effect users?