Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RADIUS server certificate

Jump to Best Answer
  • 1.  RADIUS server certificate

    Posted Sep 05, 2014 10:47 AM

    Hello All, Currently we use self signed certificate for the radius servert certificate in CPMM(6.3.22) and things work fine. But i noticed the CN of the certificate doesn't match the server name and there is no SAN either, the threads here read either CN/SAN has to match the server name.

     

    Is this supposed to work even without a matching CN/SAN ?



  • 2.  RE: RADIUS server certificate
    Best Answer

    Posted Sep 05, 2014 11:00 AM
      |   view attached

     For 802.1X authentication, the name does not have to match (although some like it to).  For HTTPS, it should match.  Please review the Certificates 101 for CPPM technote for more details on your options (attached).

    Attachment(s)



  • 3.  RE: RADIUS server certificate

    Posted Sep 05, 2014 11:03 AM

    Thanks for the clarification chris.

     

     

    -Sundar



  • 4.  RE: RADIUS server certificate

    Posted Sep 05, 2014 11:21 AM

    Also keep in mind that using a self-signed RADIUS certificate can expose credentials unless the cert is directly loaded onto all clients.



  • 5.  RE: RADIUS server certificate

    Posted Sep 05, 2014 12:03 PM

    Hi Tim, Could you please brief about how self-signed CA can expose credentials or point to any exisitng link ?

     

    We do push the certs through Windows GPO,

     

    Thanks.

    Sundar



  • 6.  RE: RADIUS server certificate

    Posted Sep 05, 2014 05:12 PM

    If you are using Group Policy to configure the supplicant correctly (install cert, verify cert, verify common name, etc), then you having nothing to worry about.


    BYOD devices will not have the CA for your cert since it is self-signed and many will choose to connect and NOT verify the server certificate which means you are opening your network up to Man in the middle attacks where credentials can be compromised.

     

    Here's a great write-up:

    http://blog.depthsecurity.com/2010/11/when-8021xpeapeap-ttls-is-worse-than-no.html

     

     

     



  • 7.  RE: RADIUS server certificate

    Posted Sep 06, 2014 10:32 AM

    Thanks for the clarification Tim.

     

    -Thanks

    Sundar