If you have a proper configuration of your supplicants, like through Active Directory Group Policies, or Device Management (MDM/EMM), you should configure the RootCA as well as the server name.
In that case, clients should accept the certificate without any warning, and as long as you renew and keep the RootCA and CN (and first SAN) the same, clients will accept the changed certificate.
What you probably did, is put a public trusted certificate as EAP Cert (which is deprecated, use a private CA instead), and have your users connect and accept the certificate (which also is deprecated, use a provisioning mechanism to get the clients securely provisioned).
By 'ignoring' these two recommendations, you are likely to see what you see.
My recommendations for the RADIUS/EAP certificate:
- Issue the certificate from a private Root CA
- Use a long runtime for the certificate (multiple years) to avoid roll-overs
- Use a single RADIUS EAP certificate on all of your ClearPass/RADIUS servers
- Use tooling to get clients onboarded (AD-GPO/MDM/EMM for managed clients; something like ClearPass Onboard or similar for unmanaged clients). RootCA, supplicant configuration, Client certificate.
- Don't let end-users manually configure their devices with supplicant settings, it will be cumbersome and likely configured insecure.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 16, 2021 09:55 AM
From: Bill Harris
Subject: RADIUS cert renewal issues in ClearPass
We are running 6.8.9.12 and we run into this issue every time we renew the RADIUS cert. We generate a CSR using all the same CN, OU, O, ST and so on. we import the cert, click the EAP in the trust store, everything seems to update just fine but iOS devices will prompted our customers to accept the new cert, Android and windows seem to be not affected by this new renewal. My questions is how can we renew these certs without prompting our customers to accept the new updated cert? We do not us onboarding with our CP.
------------------------------
Bill Harris
------------------------------