Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

two Radius Server Certificates

Jump to Best Answer
  • 1.  two Radius Server Certificates

    Posted Nov 08, 2019 07:04 AM

    Hi All,

     

    Customer want to use Machine Certificate & User Certificate for Authentication.

     

    Due to Policy , Customer want use Machine certificate from One CA (Eg:- CA-1) and User Certificate from Other CA.(Eg:- CA-2)

     

    So from ClearPass Point of View we need to have Radius Server Certifcate from  CA-1 for Machine authentication and Radius Server Certificate from CA-2 for User Authentication is my Understanding.

     

    Is this Feasible using 6.8.x ? 

     

     

    Thanks in advance

     

     



  • 2.  RE: two Radius Server Certificates

    Posted Nov 08, 2019 07:22 AM
    No need to create a RADIUS server from each CA just need to import both CA in the trusted list



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: two Radius Server Certificates

    Posted Nov 08, 2019 07:33 AM

    I agree we need to upload both CA certificates in Trust list.

     

    For EAP-TLS we need to upload Radius Server certificate by Submitting CSR from CPPM to each CA right?

     

     



  • 4.  RE: two Radius Server Certificates

    Posted Nov 08, 2019 07:51 AM

    OK I understand Now. We can use Radius Server certificate from any CA as we use Server Certificate to Validate Radius Server.

     

    As both Machine & User Same Radius Server that is CPPM we can use Radius Server certificate from any CA to the needful.

     

    Both CA  certificates in Trust list of CPPM will validate both Machine & User certicate Presented by Client Device. 

     

    Hope my understanding is correct . Please correct me if my understanding is wrong.



  • 5.  RE: two Radius Server Certificates
    Best Answer

    Posted Nov 08, 2019 08:20 AM

    The client will send a certificate from 2 different CA's so that is why CPPM needs to add them in it's trust list.

     

    You can serve both requests from 1 service, just make different rules where you identify the certificate from each request.

     

    In both situation, the clients will be presented the same "server" certificate, installed in CPPM as a radius certificate. So the clients just needs to trust this 1 certifcate (chain).



  • 6.  RE: two Radius Server Certificates
    Best Answer

    Posted Nov 08, 2019 08:32 AM
    Yes correct .

    ClearPass validates the client cert using the CA from the trust

    The windows client validates any RADIUS cert if the RADIUS cert CA is the cert store

    So just need to make sure the RADIUS cert CA is in all your client cert store



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 7.  RE: two Radius Server Certificates

    Posted Nov 08, 2019 10:14 AM

    Thanks a lot :-)