Security

We are running 6.8.9.12 and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal.  My questions is how can we renew these certs without prompting our customers to accept the new updated cert?  We do not us onboarding with our CP. 


------------------------------
Bill Harris
------------------------------

AFAIK Each new RADIUS server certificate ClearPass will send to the client must be trusted once by the client. If the RADIUS server certificate changed it have to trust it again.

What authentication method are you using? EAP-TLS or EAP-PEAP?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Dec 16, 2021 09:55 AM
From: Bill Harris
Subject: RADIUS cert renewal issues in ClearPass

We are running 6.8.9.12 and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal.  My questions is how can we renew these certs without prompting our customers to accept the new updated cert?  We do not us onboarding with our CP. 


------------------------------
Bill Harris
------------------------------

I agree that this is an expected behavior. Different clients and OS have slightly different ways of handle new Radius certificates.
Apple iOS will always prompt the user to approve the new certificate. I'm a bit unsure how MAC OS handle this.
Andriod will never prompt the user to approve the new certificate.
Windows have different behavior depending on the client configuration.
A non managed Windows 10 machine will ask the user if the SSID is expected in this area. Older Windows versions asked the user if the certificate is ok.
A Windows machine who is a domain member and managed by GPO can have a setting in the GPO to always trust the Radius certificate CA, in most cases the internal CA. In addition to this there is a setting in the GPO there it's possible to suppress the user prompt.
I think the same setting can also be configured if the machine is managed in Intune.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSA, ACEP
Aranya AB
------------------------------

Original Message:
Sent: Dec 16, 2021 02:03 PM
From: marcel koedijk
Subject: RADIUS cert renewal issues in ClearPass

AFAIK Each new RADIUS server certificate ClearPass will send to the client must be trusted once by the client. If the RADIUS server certificate changed it have to trust it again.

What authentication method are you using? EAP-TLS or EAP-PEAP?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Dec 16, 2021 09:55 AM
From: Bill Harris
Subject: RADIUS cert renewal issues in ClearPass

We are running 6.8.9.12 and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal.  My questions is how can we renew these certs without prompting our customers to accept the new updated cert?  We do not us onboarding with our CP. 


------------------------------
Bill Harris
------------------------------

If you have a proper configuration of your supplicants, like through Active Directory Group Policies, or Device Management (MDM/EMM), you should configure the RootCA as well as the server name.

In that case, clients should accept the certificate without any warning, and as long as you renew and keep the RootCA and CN (and first SAN) the same, clients will accept the changed certificate.

What you probably did, is put a public trusted certificate as EAP Cert (which is deprecated, use a private CA instead), and have your users connect and accept the certificate (which also is deprecated, use a provisioning mechanism to get the clients securely provisioned).

By 'ignoring' these two recommendations, you are likely to see what you see.

My recommendations for the RADIUS/EAP certificate:
- Issue the certificate from a private Root CA
- Use a long runtime for the certificate (multiple years) to avoid roll-overs
- Use a single RADIUS EAP certificate on all of your ClearPass/RADIUS servers
- Use tooling to get clients onboarded (AD-GPO/MDM/EMM for managed clients; something like ClearPass Onboard or similar for unmanaged clients). RootCA, supplicant configuration, Client certificate.
- Don't let end-users manually configure their devices with supplicant settings, it will be cumbersome and likely configured insecure.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 16, 2021 09:55 AM
From: Bill Harris
Subject: RADIUS cert renewal issues in ClearPass

We are running 6.8.9.12 and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal.  My questions is how can we renew these certs without prompting our customers to accept the new updated cert?  We do not us onboarding with our CP. 


------------------------------
Bill Harris
------------------------------