View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS cert renewal issues in ClearPass

This thread has been viewed 17 times
  • 1.  RADIUS cert renewal issues in ClearPass

    Posted Dec 16, 2021 09:56 AM
    We are running and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal.  My questions is how can we renew these certs without prompting our customers to accept the new updated cert?  We do not us onboarding with our CP. 

    Bill Harris

  • 2.  RE: RADIUS cert renewal issues in ClearPass

    Posted Dec 16, 2021 02:03 PM
    AFAIK Each new RADIUS server certificate ClearPass will send to the client must be trusted once by the client. If the RADIUS server certificate changed it have to trust it again.

    What authentication method are you using? EAP-TLS or EAP-PEAP?

    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

  • 3.  RE: RADIUS cert renewal issues in ClearPass

    Posted Dec 17, 2021 05:01 AM
    I agree that this is an expected behavior. Different clients and OS have slightly different ways of handle new Radius certificates.
    Apple iOS will always prompt the user to approve the new certificate. I'm a bit unsure how MAC OS handle this.
    Andriod will never prompt the user to approve the new certificate.
    Windows have different behavior depending on the client configuration.
    A non managed Windows 10 machine will ask the user if the SSID is expected in this area. Older Windows versions asked the user if the certificate is ok.
    A Windows machine who is a domain member and managed by GPO can have a setting in the GPO to always trust the Radius certificate CA, in most cases the internal CA. In addition to this there is a setting in the GPO there it's possible to suppress the user prompt.
    I think the same setting can also be configured if the machine is managed in Intune.

    Best Regards
    Jonas Hammarbäck
    Aranya AB

  • 4.  RE: RADIUS cert renewal issues in ClearPass

    Posted Dec 17, 2021 10:49 AM
    If you have a proper configuration of your supplicants, like through Active Directory Group Policies, or Device Management (MDM/EMM), you should configure the RootCA as well as the server name.

    In that case, clients should accept the certificate without any warning, and as long as you renew and keep the RootCA and CN (and first SAN) the same, clients will accept the changed certificate.

    What you probably did, is put a public trusted certificate as EAP Cert (which is deprecated, use a private CA instead), and have your users connect and accept the certificate (which also is deprecated, use a provisioning mechanism to get the clients securely provisioned).

    By 'ignoring' these two recommendations, you are likely to see what you see.

    My recommendations for the RADIUS/EAP certificate:
    - Issue the certificate from a private Root CA
    - Use a long runtime for the certificate (multiple years) to avoid roll-overs
    - Use a single RADIUS EAP certificate on all of your ClearPass/RADIUS servers
    - Use tooling to get clients onboarded (AD-GPO/MDM/EMM for managed clients; something like ClearPass Onboard or similar for unmanaged clients). RootCA, supplicant configuration, Client certificate.
    - Don't let end-users manually configure their devices with supplicant settings, it will be cumbersome and likely configured insecure.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.