Hello All, Currently we use self signed certificate for the radius servert certificate in CPMM(6.3.22) and things work fine. But i noticed the CN of the certificate doesn't match the server name and there is no SAN either, the threads here read either CN/SAN has to match the server name.
Is this supposed to work even without a matching CN/SAN ?
For 802.1X authentication, the name does not have to match (although some like it to). For HTTPS, it should match. Please review the Certificates 101 for CPPM technote for more details on your options (attached).
Thanks for the clarification chris.
Also keep in mind that using a self-signed RADIUS certificate can expose credentials unless the cert is directly loaded onto all clients.
Hi Tim, Could you please brief about how self-signed CA can expose credentials or point to any exisitng link ?
We do push the certs through Windows GPO,
If you are using Group Policy to configure the supplicant correctly (install cert, verify cert, verify common name, etc), then you having nothing to worry about.
BYOD devices will not have the CA for your cert since it is self-signed and many will choose to connect and NOT verify the server certificate which means you are opening your network up to Man in the middle attacks where credentials can be compromised.
Here's a great write-up:
Thanks for the clarification Tim.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.