Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Incorrect cert to client

  • 1.  Incorrect cert to client

    Posted Jan 23, 2020 01:01 PM

    We have a public Certificate and private certificate. 3

    My CPPM install cert is 

    Public Cert issue by CA. (HTTPS Server Cert)

    Private Cert issue by AD. (Radius Server Cert)

    My captive portal (Guest) use with Public Cert  but some user receive a private cert. 

    My problem is not occuring to all user.

    I don't sure what root cause of problem.I don't have idea to fix this.



  • 2.  RE: Incorrect cert to client

    Posted Jan 24, 2020 03:37 AM

    Do you mean that some users are receiving during captive portal operations the RADIUS certificate? That is very unlikely.

     

    Based on this information it is not really possible to help. To find the root cause you will need to find out which users under what circumstances receive exactly what certificate if they are doing what. Based on that info you can determine what device is presenting the certificate and if that is like it is designed or not.

     

    What certificate did you install on your switch/AP/controller? Could it be that users see that certificate?

     

    If you have screenshots of the certificate received with the URL they are trying to reach, that may help already.

     

    I'd suggest that you work with someone who can interactively troubleshoot with you, like your Aruba partner or Aruba support.



  • 3.  RE: Incorrect cert to client

    Posted Jan 24, 2020 05:31 AM

    Do you mean that some users are receiving during captive portal operations the RADIUS certificate? That is very unlikely.

     

    Yes some user of captiveportal receive RADIUS Certificate. but correct is the HTTPS Cert.

     

    Based on this information it is not really possible to help. To find the root cause you will need to find out which users under what circumstances receive exactly what certificate if they are doing what. Based on that info you can determine what device is presenting the certificate and if that is like it is designed or not.

     

    I sure for designed is using HTTPS Cert in CPPM. 

     

     

    What certificate did you install on your switch/AP/controller? Could it be that users see that certificate?

     

    Radius certificate (Issue from Windows Server) install in controller and CPPM.

    HTTPS ceritificate (Issue from CA) install in CPPM only at Certificate Store >  Server Certificate >  Type : HTTPS Server Certificate 

     



  • 4.  RE: Incorrect cert to client

    Posted Jan 24, 2020 05:55 AM

    Ok, you should have a public trusted certificate installed to your controller, not a private or RADIUS certificate.

     

    For Guest Captive Portal you need:

    - Public trusted HTTPS certificate on ClearPass (may be wildcard)

    - Public trusted HTTPS certificate on your controller/IAP configured for Captive portal (which may be a wildcard as well, in which case captiveportal-login.yourdomain will be the name to refer to; if you have a multi-SAN certificate, the first SAN will be used by the controller/IAP).

    - The ClearPass and controller certificate should be issued on different names. If you use a multi-SAN or wildcard the same certificate can be used as long as it is addressed on different FQDNs for the ClearPass and the controller.

     

    Fully separate from the guest use-case: For EAP authentication, you only need the EAP RADIUS certificate installed on ClearPass. In most cases having an internal/private CA certificate has the preference, and the same should be installed on all ClearPass servers that you have. Only reason to install an EAP certificate on a controller is when you use EAP Termination and that is deprecated as it is a corner-case feature that should be avoided in general.